
Summary
This rule monitors for suspicious use of the 'grep' command related to memory mapping in Linux systems. The detection leverages insights from the '/proc/*/maps' file, which outlines memory segments, their permissions, and associated files for running processes. Attackers may exploit the ability to read a process's memory map to locate memory addresses for potential code injections or process hijacking actions. The rule triggers on process initiation events that feature the 'grep' command (including its variants like 'egrep', 'fgrep', and 'rgrep') when these commands are called with arguments indicative of scanning memory segments ([stack], [vdso], [heap]). The detection helps identify potentially malicious behavior associated with memory exploration, which can lead to unauthorized access and manipulation of processes.
Categories
- Endpoint
- Linux
Data Sources
- Process
- Application Log
- Kernel
ATT&CK Techniques
- T1057
Created: 2024-02-05