Adversaries may use shared memory creation to load malicious payloads in memory, bypassing traditional file-based detection mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential in-memory attacks and mitigate advanced persistent threats.
YARA Rule
rule apt_nix_elf_Derusbi_Linux_SharedMemCreation
{
meta:
Author = "@seifreed"
strings:
$byte1 = { B6 03 00 00 ?? 40 00 00 00 ?? 0D 5F 01 82 }
condition:
(uint32(0) == 0x464C457F) and (any of them)
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: System update or package installation using apt or yum
Description: Legitimate package management tools may create shared memory segments during installation or configuration processes.
Filter/Exclusion: Check for presence of apt or yum in the command line, or filter by process names like apt, yum, or dnf.
Scenario: Scheduled job using cron or systemd
Description: Automated tasks scheduled via cron or systemd may trigger shared memory creation as part of normal operation.
Filter/Exclusion: Filter by process names like cron, systemd, or at and check for known legitimate scripts or commands.
Scenario: Memory-mapped file usage by glibc or mmap() in applications
Description: Applications using mmap() for memory-mapped files (e.g., databases, virtualization tools) may create shared memory segments.
Filter/Exclusion: Filter by known applications like mysql, postgres, docker, or kvm and check for mmap() usage in system calls.
Scenario: Shared memory used by inter-process communication (IPC) tools like sysvmsg or msgget
Description: Tools that use System V IPC mechanisms may create shared memory segments for message passing.
Filter/Exclusion: Filter by process names like sysvmsg, msgget, or ipcs and check for known IPC-related system calls.
Scenario: Virtualization or containerization tools like KVM, Docker, or LXC
Description: Virtualization platforms often use shared memory for communication between host and guest systems.
Filter/Exclusion: Filter by process names like kvm, docker, lxc, or `