Detects the execution of a binary from the Linux shared memory directory /dev/shm. This directory is a tmpfs mount backed entirely by RAM and is abused by attackers for fileless malware staging becaus
title: Process Execution From Shared Memory Directory
id: 5cd16c8f-44a6-4654-81e7-a84d6db507d4
status: experimental
description: |
Detects the execution of a binary from the Linux shared memory directory /dev/shm.
This directory is a tmpfs mount backed entirely by RAM and is abused by attackers for fileless malware staging because files written there never touch physical disk and may evade disk-based detection.
references:
- https://www.sysdig.com/blog/containers-read-only-fileless-malware
- https://unfinished.bike/fun-with-the-new-bpfdoor-2023
- https://asiapacificdefencereporter.com/wp-content/uploads/2023/08/Final-CRWD-2023-Threat-Hunting-Report.pdf
- https://www.crowdstrike.com/en-us/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/
- https://www.linkedin.com/posts/avradeep_malware-apt-infostealer-activity-7373203959697719296-JR-7
- https://www.stormshield.com/news/orbit-analysis-of-a-linux-dedicated-malware/
author: Stan Beukers
date: 2026-06-20
tags:
- attack.stealth
- attack.execution
- attack.t1027.011
logsource:
category: process_creation
product: linux
detection:
selection:
Image|startswith: '/dev/shm/'
condition: selection
falsepositives:
- Unlikely in production environments; some container runtimes or IPC frameworks may use /dev/shm for inter-process communication but should not spawn executables.
level: high
imProcessCreate
| where TargetProcessName startswith "/dev/shm/"| Sentinel Table | Notes |
|---|---|
imProcessCreate | Ensure this data connector is enabled |