Detects adversary behavior where a process enumerates and modifies another process's memory using /proc/[pid]/maps and /proc/[pid]/mem files. This includes identifying gadgets via memory mappings and overwriting process memory via low-level file modification or dd usage.
| Data Component | Name | Channel |
|---|---|---|
| File Modification (DC0061) | auditd:SYSCALL | open/write to /proc/*/mem or /proc/*/maps |
| OS API Execution (DC0021) | auditd:SYSCALL | execve of dd or sed targeting /proc/*/mem |
| File Access (DC0055) | linux:osquery | /proc/*/maps access |
| Field | Description |
|---|---|
| TargetProcNameRegex | Regex list of high-value processes attackers may inject into, such as `sshd`, `nginx`, or `sleep` |
| TimeWindowBetweenMapAccessAndMemWrite | Time span (e.g., <15s) between map read and memory write that may indicate enumeration-to-injection |
| InvokerBinaryAllowlist | Allowlist of processes allowed to access /proc/[pid]/mem (e.g., gdb, strace) |
| FileWriteThreshold | Alert if written bytes to /proc/[pid]/mem exceed a suspicious threshold (e.g., >4096 bytes) |