{
	"id": "5ae23fbb-771e-4c31-8681-06ce451d1a96",
	"created_at": "2026-04-06T00:06:34.912128Z",
	"updated_at": "2026-04-10T03:21:50.287525Z",
	"deleted_at": null,
	"sha1_hash": "3baf8103a3848c9aaaf187b394df8d8951e24fd8",
	"title": "Binary Executed from Shared Memory Directory | Elastic Security [7.17]",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 47121,
	"plain_text": "Binary Executed from Shared Memory Directory | Elastic Security\r\n[7.17]\r\nArchived: 2026-04-05 20:32:52 UTC\r\nBinary Executed from Shared Memory Directory\r\nedit\r\nIdentifies the execution of a binary by root in Linux shared memory directories: (/dev/shm/, /run/shm/, /var/run/,\r\n/var/lock/). This activity is to be considered highly abnormal and should be investigated. Threat actors have placed\r\nexecutables used for persistence on high-uptime servers in these directories as system backdoors.\r\nRule type: eql\r\nRule indices:\r\nlogs-endpoint.events.*\r\nSeverity: high\r\nRisk score: 73\r\nRuns every: 5m\r\nSearches indices from: now-9m (Date Math format, see also Additional look-back time )\r\nMaximum alerts per execution: 100\r\nReferences:\r\nhttps://linuxsecurity.com/features/fileless-malware-on-linux\r\nhttps://twitter.com/GossiTheDog/status/1522964028284411907\r\nTags:\r\nElastic\r\nHost\r\nLinux\r\nThreat Detection\r\nExecution\r\nBPFDoor\r\nVersion: 1\r\nRule authors:\r\nhttps://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-3-binary-executed-from-shared-memory-directory.html\r\nPage 1 of 2\n\nElastic\r\nRule license: Elastic License v2\r\nprocess where event.type == \"start\" and\r\n event.action == \"exec\" and user.name == \"root\" and\r\n process.executable : (\r\n \"/dev/shm/*\",\r\n \"/run/shm/*\",\r\n \"/var/run/*\",\r\n \"/var/lock/*\"\r\n )\r\nFramework: MITRE ATT\u0026CKTM\r\nTactic:\r\nName: Execution\r\nID: TA0002\r\nReference URL: https://attack.mitre.org/tactics/TA0002/\r\nTechnique:\r\nName: Command and Scripting Interpreter\r\nID: T1059\r\nReference URL: https://attack.mitre.org/techniques/T1059/\r\nSource: https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-3-binary-executed-from-shared-memory-directory.html\r\nhttps://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-3-binary-executed-from-shared-memory-directory.html\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-7-16-3-binary-executed-from-shared-memory-directory.html"
	],
	"report_names": [
		"prebuilt-rule-7-16-3-binary-executed-from-shared-memory-directory.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775433994,
	"ts_updated_at": 1775791310,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3baf8103a3848c9aaaf187b394df8d8951e24fd8.pdf",
		"text": "https://archive.orkl.eu/3baf8103a3848c9aaaf187b394df8d8951e24fd8.txt",
		"img": "https://archive.orkl.eu/3baf8103a3848c9aaaf187b394df8d8951e24fd8.jpg"
	}
}