Skip to content

DET0541 Detection Strategy for /proc Memory Injection on Linux

Item Value
ID DET0541
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1055.009 (Proc Memory)

Analytics

Linux

AN1494

Detects adversary behavior where a process enumerates and modifies another process’s memory using /proc/[pid]/maps and /proc/[pid]/mem files. This includes identifying gadgets via memory mappings and overwriting process memory via low-level file modification or dd usage.

Log Sources
Data Component Name Channel
File Modification (DC0061) auditd:SYSCALL open/write to /proc//mem or /proc//maps
OS API Execution (DC0021) auditd:SYSCALL execve of dd or sed targeting /proc/*/mem
File Access (DC0055) linux:osquery /proc/*/maps access
Mutable Elements
Field Description
TargetProcNameRegex Regex list of high-value processes attackers may inject into, such as sshd, nginx, or sleep
TimeWindowBetweenMapAccessAndMemWrite Time span (e.g., <15s) between map read and memory write that may indicate enumeration-to-injection
InvokerBinaryAllowlist Allowlist of processes allowed to access /proc/[pid]/mem (e.g., gdb, strace)
FileWriteThreshold Alert if written bytes to /proc/[pid]/mem exceed a suspicious threshold (e.g., >4096 bytes)