This rule detects Linux process executions where the executable path resides under /dev/shm, the RAM-backed shared memory directory. /dev/shm is commonly used for in-memory inter-process communication and temporary storage; attackers abuse it to stage or execute binaries in memory to evade disk-based detection and achieve fileless execution. The detection looks for a process image whose path starts with /dev/shm/ and triggers on that condition. Such activity is unusual on a typical system and can indicate stealthy malware techniques, especially in containerized or heavily IPC-driven workloads. While /dev/shm can be legitimately used by some IPC frameworks, spawning executables from this location is suspicious and warrants further investigation and correlation with additional indicators (e.g., related process trees, parent processes, or network activity).