This note documents detection patterns related to Memory Only Execution on Linux systems.
Direct Indicators
| Source | Grep Pattern / Artifact | Meaning | Forensic Value | Notes |
|---|
| Shell history | /dev/shm/ execution | In-memory or tmpfs execution | Critical | Strong stealth indicator. |
| Shell history | memfd_create usage | Fileless execution primitive | Critical | Advanced tradecraft. |
| Shell history | `curl ... | bash` | Direct pipe execution | Critical |
| Shell history | `wget -qO- ... | sh` | Streamed payload | Critical |
| Shell history | python -c exec( | Inline memory execution | Critical | No file artifact required. |
| Shell history | `base64 -d | bash` | Obfuscated fileless execution | Critical |
| Deleted running binary | /proc/<pid>/exe -> (deleted) | Memory-resident payload | Critical | Very strong indicator. |
| Process path | binary from tmpfs | Critical | /dev/shm, tmpfs execution clue. | |
auditd | execute from tmpfs | Critical | Strong attribution. | |
lsof | deleted executable still open | Critical | Runtime truth. | |
maps | anonymous executable mapping | Critical | Advanced memory clue. | |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|
| Payload executed then deleted | Memory-resident behavior | Critical | Strong stealth sequence. |
/dev/shm binary plus outbound connection | Fileless C2 | Critical | Very high severity. |
| Deleted process under service account | Suspicious context | Critical | Often exploitation shell. |
| Pipe execution after foothold | Scriptless payload stage | Critical | Strong intrusion chain. |
| No disk file but live suspicious PID | Memory-only tradecraft | Critical | Requires live triage. |
Common Tools
| Tool | Usage |
|---|
/dev/shm | Tmpfs execution path. |
| `curl | bash` |
| `wget -qO- | sh` |
| Python | Inline fileless execution. |
memfd_create | Advanced memory payloads. |
Relevant Artifacts
| Artifact | Path / Command | Forensic Value | Notes |
|---|
| Process links | /proc/<pid>/exe | Critical | Deleted binary clue. |
| Process maps | /proc/<pid>/maps | Critical | Memory regions. |
| Open files | lsof -p <pid> | Critical | Deleted file handles. |
| Shell history | .bash_history | Critical | Launch evidence. |
| Audit logs | /var/log/audit/audit.log | Critical | Attribution. |
MITRE ATT&CK References
- T1055 Process Injection
- T1620 Reflective Code Loading
- T1105 Ingress Tool Transfer
Decision Tree
- Was payload executed from tmpfs?
- Is executable deleted?
- Is process still alive?
- Any outbound socket?
- Which parent process launched it?
Example Detection Templates
Grep
grep -R "/dev/shm\|curl .*| bash\|wget -qO- .*| sh\|base64 -d .*| bash\|python -c exec" /home/*/.bash_history /root/.bash_history 2>/dev/null
Journalctl
journalctl | grep -E "shm|deleted"
File Inspection
ls -l /proc/*/exe 2>/dev/null | grep deleted
lsof | grep deleted
Sigma
title: Linux Memory Only Execution
id: linux-memory-only-execution
status: experimental
description: Detects suspicious fileless or tmpfs execution on Linux
logsource:
product: linux
detection:
selection_keywords:
message|contains:
- '/dev/shm'
- 'curl'
- 'wget -qO-'
- 'base64 -d'
condition: selection_keywords
level: high
tags:
- attack.execution
- attack.defense_evasion
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|
| Tmpfs monitoring | Watch /dev/shm execution | Critical | Strong fileless visibility. |
| Auditd | Track exec from tmpfs | High | Attribution. |
| Egress filtering | Limit streamed payload retrieval | Critical | Reduces fileless success. |
