title: Proc Memory (T1055.009)
id: df00tech-t1055-009
status: experimental
description: "Adversaries may inject malicious code into processes via the /proc filesystem in order to evade process-based defenses as well as possibly elevate privileges. Proc memory injection involves enumerating the memory of a process via the /proc filesystem (/proc/[pid]) then crafting a return-oriented programming (ROP) payload with available gadgets/instructions. Each running process has its own directory, which includes memory mappings. Proc memory injection is commonly performed by overwriting the target processes' stack using memory mappings provided by the /proc filesystem. This information can be used to enumerate offsets (including the stack) and gadgets otherwise hidden by ASLR. Once enumerated, the target processes' memory map within /proc/[pid]/maps can be overwritten using dd."
references:
  - https://attack.mitre.org/techniques/T1055/009/
  - https://df00tech.com/detections/T1055.009
author: df00tech
date: 2026/04/16
tags:
  - attack.t1055.009
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "System monitoring tools (top, htop, ps) reading /proc/[pid]/maps for memory statistics"
  - Container orchestration tools reading /proc filesystem for resource accounting
  - "Performance profiling tools (perf, valgrind) reading process memory maps"
  - Security scanning tools analyzing process memory layout for vulnerability assessment
level: high