This documentation contains work-in-progress information for future Elastic Stack and Cloud releases. Use the version selector to view supported release docs. It also contains some Elastic Cloud serverless information. Check out our serverless docs for more details.

« Bash Shell Profile Modification Bypass UAC via Event Viewer »

› › ›

Binary Executed from Shared Memory Directory

edit

Binary Executed from Shared Memory Directory

edit

Identifies the execution of a binary by root in Linux shared memory directories: (/dev/shm/, /run/shm/, /var/run/, /var/lock/). This activity is to be considered highly abnormal and should be investigated. Threat actors have placed executables used for persistence on high-uptime servers in these directories as system backdoors.

Rule type: eql

Rule indices:

logs-endpoint.events.*

Severity: high

Risk score: 73

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Elastic
Host
Linux
Threat Detection
Execution
BPFDoor

Version: 101 (version history)

Added (Elastic Stack release): 8.3.0

Last modified (Elastic Stack release): 8.6.0

Rule authors: Elastic

Rule license: Elastic License v2

Potential false positives

edit

Directories /dev/shm and /run/shm are temporary file storage directories in Linux. They are intended to appear as a mounted file system, but uses virtual memory instead of a persistent storage device and thus are used for mounting file systems in legitimate purposes.

Rule query

edit

process where event.type == "start" and event.action == "exec" and
user.name == "root" and process.executable : (
"/dev/shm/*", "/run/shm/*", "/var/run/*",
"/var/lock/*" ) and not process.executable : (
"/var/run/docker/*")

Threat mapping

edit

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Execution
- ID: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/
Technique:
- Name: Command and Scripting Interpreter
- ID: T1059
- Reference URL: https://attack.mitre.org/techniques/T1059/

Rule version history

edit

Version 101 (8.6.0 release)

Formatting only

Version 100 (8.5.0 release)

Updated query, changed from:

process where event.type == "start" and event.action == "exec"
and user.name == "root" and process.executable : (
"/dev/shm/*", "/run/shm/*", "/var/run/*",
"/var/lock/*" ) and not process.executable : (
"/var/run/docker/*")

Version 3 (8.4.0 release)

Updated query, changed from:

process where event.type == "start" and event.action == "exec"
and user.name == "root" and process.executable : (
"/dev/shm/*", "/run/shm/*", "/var/run/*",
"/var/lock/*" )

« Bash Shell Profile Modification Bypass UAC via Event Viewer »