Proc Memory

// Detect /proc/[pid]/mem and /proc/[pid]/maps access for injection
Syslog
| where TimeGenerated > ago(24h)
| where SyslogMessage has_any ("/proc/") and SyslogMessage has_any ("mem", "maps", "syscall")
| where SyslogMessage !has "self" // exclude /proc/self/ access (legitimate)
| where SyslogMessage !has "gdb" and SyslogMessage !has "strace"
| extend ProcAccess = extract(@"/proc/(\d+)/(mem|maps|syscall)", 0, SyslogMessage)
| where isnotempty(ProcAccess)
| project TimeGenerated, Computer, SyslogMessage, ProcAccess, Facility, SeverityLevel
| sort by TimeGenerated desc

index=linux sourcetype="linux:audit" (type=SYSCALL OR type=PATH)
| eval is_proc_mem=if(match(name, "/proc/[0-9]+/mem$") OR match(path, "/proc/[0-9]+/mem$"), 1, 0)
| eval is_proc_maps=if(match(name, "/proc/[0-9]+/maps$") OR match(path, "/proc/[0-9]+/maps$"), 1, 0)
| where is_proc_mem=1 OR is_proc_maps=1
| eval exe_name=mvindex(split(exe, "/"), -1)
| search NOT exe_name IN ("ps", "top", "htop", "gdb", "strace", "ltrace", "perf", "systemd", "dockerd", "containerd")
| eval target_pid=replace(coalesce(name, path), "/proc/(\d+)/.*", "\1")
| eval access_type=if(is_proc_mem=1, "/proc/pid/mem (direct memory access)", "/proc/pid/maps (memory layout enumeration)")
| eval InjectionRisk=if(is_proc_mem=1, "HIGH - Direct memory write capability", "MEDIUM - Memory layout reconnaissance")
| table _time, host, auid, uid, exe, pid, target_pid, access_type, InjectionRisk
| sort - _time

file where event.action in ("open", "opened-file", "read") and file.path : "/proc/*/mem" or file.path : "/proc/*/maps" or file.path : "/proc/*/syscall" and not file.path : "/proc/self/*" and not process.name in ("ps", "top", "htop", "gdb", "strace", "ltrace", "perf", "systemd", "dockerd", "containerd", "lsof")

SELECT DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time, sourceip AS host_ip, username, "Message" AS raw_message, LOGSOURCETYPENAME(devicetype) AS log_source_type, QIDNAME(qid) AS event_name FROM events WHERE (LOGSOURCETYPENAME(devicetype) ILIKE '%Linux%' OR LOGSOURCETYPENAME(devicetype) ILIKE '%audit%') AND ("Message" ILIKE '%/proc/%/mem%' OR "Message" ILIKE '%/proc/%/maps%' OR "Message" ILIKE '%/proc/%/syscall%') AND "Message" NOT ILIKE '%/proc/self/%' AND "Message" NOT ILIKE '%exe="/usr/bin/gdb"%' AND "Message" NOT ILIKE '%exe="/usr/bin/strace"%' AND "Message" NOT ILIKE '%exe="/usr/bin/ltrace"%' AND "Message" NOT ILIKE '%exe="/usr/bin/perf"%' AND "Message" NOT ILIKE '%exe="/bin/ps"%' AND "Message" NOT ILIKE '%exe="/usr/bin/top"%' ORDER BY starttime DESC LAST 24 HOURS

_sourceCategory=linux/audit (type=SYSCALL OR type=PATH) ("/proc/" AND ("mem" OR "maps" OR "syscall")) | parse regex field=_raw "name=\"(?P<file_path>[^\"]+)\"" nodrop | parse regex field=_raw "exe=\"(?P<exe_path>[^\"]+)\"" nodrop | parse regex field=_raw "pid=(?P<process_pid>\d+)" nodrop | parse regex field=_raw "auid=(?P<auid>\d+)" nodrop | where (file_path matches "/proc/*/mem" OR file_path matches "/proc/*/maps" OR file_path matches "/proc/*/syscall") | where !(file_path matches "/proc/self/*") | where !(exe_path matches "*/gdb" OR exe_path matches "*/strace" OR exe_path matches "*/ltrace" OR exe_path matches "*/perf" OR exe_path matches "*/ps" OR exe_path matches "*/top" OR exe_path matches "*/htop" OR exe_path matches "*/systemd" OR exe_path matches "*/dockerd" OR exe_path matches "*/containerd") | parse regex field=file_path "/proc/(?P<target_pid>\d+)/(?P<access_type>\w+)" | eval risk_level = if(access_type = "mem", "HIGH - Direct memory write", "MEDIUM - Memory layout recon") | count by _sourceHost, exe_path, target_pid, access_type, risk_level | sort by _count desc

rule proc_memory_injection_t1055_009 {
  meta:
    author = "df00tech"
    description = "Detects /proc/pid/mem and /proc/pid/maps file access indicative of proc memory injection (T1055.009). Adversaries enumerate memory layout via maps and overwrite stack or heap via direct mem writes."
    mitre_attack_tactic = "Defense Evasion, Privilege Escalation"
    mitre_attack_technique = "T1055.009"
    severity = "HIGH"
    confidence = "MEDIUM"
    created = "2026-04-16"

  events:
    $e.metadata.event_type = "FILE_OPEN"
    $e.target.file.full_path = /\/proc\/[0-9]+\/(mem|maps|syscall)/
    not $e.target.file.full_path = /\/proc\/self\//
    not re.regex($e.principal.process.file.full_path, `/(gdb|strace|ltrace|perf|systemd|dockerd|containerd|ps|top|htop|lsof)$`)

  condition:
    $e
}

#event_simpleName = ProcessRollup2
| CommandLine = /\/proc\/[0-9]+\/(mem|maps|syscall)/
| ImageFileName != /(gdb|strace|ltrace|perf|systemd|dockerd|containerd|ps|top|htop|lsof)(\s|$)/
| regex(field=CommandLine, regex="/proc/(?P<target_pid>[0-9]+)/(?P<access_type>mem|maps|syscall)", flags=i)
| access_risk := if(access_type == "mem", "HIGH - Direct memory write via /proc/pid/mem", "MEDIUM - Memory layout recon via /proc/pid/maps")
| select([timestamp, ComputerName, UserName, ImageFileName, CommandLine, target_pid, access_type, access_risk])
| sort(timestamp, order=desc)