Detect Proc Memory in Sumo Logic CSE
Adversaries may inject malicious code into processes via the /proc filesystem in order to evade process-based defenses as well as possibly elevate privileges. Proc memory injection involves enumerating the memory of a process via the /proc filesystem (/proc/[pid]) then crafting a return-oriented programming (ROP) payload with available gadgets/instructions. Each running process has its own directory, which includes memory mappings. Proc memory injection is commonly performed by overwriting the target processes' stack using memory mappings provided by the /proc filesystem. This information can be used to enumerate offsets (including the stack) and gadgets otherwise hidden by ASLR. Once enumerated, the target processes' memory map within /proc/[pid]/maps can be overwritten using dd.
MITRE ATT&CK
- Technique
- T1055 Process Injection
- Sub-technique
- T1055.009 Proc Memory
- Canonical reference
- https://attack.mitre.org/techniques/T1055/009/
Sumo Detection Query
_sourceCategory=linux/audit (type=SYSCALL OR type=PATH) ("/proc/" AND ("mem" OR "maps" OR "syscall")) | parse regex field=_raw "name=\"(?P<file_path>[^\"]+)\"" nodrop | parse regex field=_raw "exe=\"(?P<exe_path>[^\"]+)\"" nodrop | parse regex field=_raw "pid=(?P<process_pid>\d+)" nodrop | parse regex field=_raw "auid=(?P<auid>\d+)" nodrop | where (file_path matches "/proc/*/mem" OR file_path matches "/proc/*/maps" OR file_path matches "/proc/*/syscall") | where !(file_path matches "/proc/self/*") | where !(exe_path matches "*/gdb" OR exe_path matches "*/strace" OR exe_path matches "*/ltrace" OR exe_path matches "*/perf" OR exe_path matches "*/ps" OR exe_path matches "*/top" OR exe_path matches "*/htop" OR exe_path matches "*/systemd" OR exe_path matches "*/dockerd" OR exe_path matches "*/containerd") | parse regex field=file_path "/proc/(?P<target_pid>\d+)/(?P<access_type>\w+)" | eval risk_level = if(access_type = "mem", "HIGH - Direct memory write", "MEDIUM - Memory layout recon") | count by _sourceHost, exe_path, target_pid, access_type, risk_level | sort by _count descSumo Logic CSE query against Linux auditd events forwarded via syslog. Parses auditd PATH and SYSCALL records to identify process access to /proc/[pid]/mem and /proc/[pid]/maps, the core file paths abused in T1055.009 proc memory injection. Classifies access type by risk level and excludes known legitimate tooling.
Data Sources
Required Tables
False Positives & Tuning
- Puppet or Ansible configuration management agents that enumerate running process metadata via /proc for compliance reporting
- Security endpoint agents (e.g. Wazuh, OSSEC) that periodically scan /proc entries as part of rootkit detection routines
- Developer tools running in CI/CD pipelines (e.g., sanitizers built into LLVM/clang, Valgrind wrappers) that access /proc/pid/maps for memory analysis during automated test runs
Other platforms for T1055.009
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Read Target Process Memory Maps
Expected signal: auditd: open() syscall on /proc/<pid>/maps with the calling process (shell) details. The maps output shows memory regions including stack address needed for injection.
- Test 2DD-based /proc/pid/mem Write Simulation
Expected signal: auditd: open() on /proc/<pid>/maps. In a real injection: write() syscall to /proc/<pid>/mem would be logged. The dd command itself generates process creation events.
- Test 3Check /proc Hardening Configuration
Expected signal: No security telemetry — this is a configuration check. The output shows current hardening level.
References (5)
- https://attack.mitre.org/techniques/T1055/009/
- http://hick.org/code/skape/papers/needle.txt
- https://blog.gdssecurity.com/labs/2017/9/5/linux-based-inter-process-code-injection-without-ptrace2.html
- http://man7.org/linux/man-pages/man1/dd.1.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.009/T1055.009.md
Unlock Pro Content
Get the full detection package for T1055.009 including response playbook, investigation guide, and atomic red team tests.