Esc
Proc Memory - T1055.009
(ATT&CK® Technique)
Definition
Adversaries may inject malicious code into processes via the /proc filesystem in order to evade process-based defenses as well as possibly elevate privileges. Proc memory injection is a method of executing arbitrary code in the address space of a separate live process.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1055009["Proc Memory"] --> |accesses| OperatingSystemFile["Operating System File"]; class T1055009 OffensiveTechniqueNode;
class OperatingSystemFile ArtifactNode; click OperatingSystemFile href "/dao/artifact/d3f:OperatingSystemFile";
click T1055009 href "/offensive-technique/attack/T1055.009/"; click OperatingSystemFile href "/dao/artifact/d3f:OperatingSystemFile"; T1055009["Proc Memory"] --> |may-modify| OperatingSystemFile["Operating System File"]; class T1055009 OffensiveTechniqueNode;
class OperatingSystemFile ArtifactNode; click OperatingSystemFile href "/dao/artifact/d3f:OperatingSystemFile";
click T1055009 href "/offensive-technique/attack/T1055.009/"; click OperatingSystemFile href "/dao/artifact/d3f:OperatingSystemFile"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | OperatingSystemFile["Operating System File"];
FileIntegrityMonitoring["File Integrity Monitoring"] -.->
| May Detect | T1055009["Proc Memory"] ;
class FileIntegrityMonitoring DefensiveTechniqueNode;
class OperatingSystemFile ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileEviction["File Eviction"] -->
| deletes | OperatingSystemFile["Operating System File"];
FileEviction["File Eviction"] -.->
| May Evict | T1055009["Proc Memory"] ;
class FileEviction DefensiveTechniqueNode;
class OperatingSystemFile ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; DecoyFile["Decoy File"] -->
| spoofs | OperatingSystemFile["Operating System File"];
DecoyFile["Decoy File"] -.->
| May Deceive | T1055009["Proc Memory"] ;
class DecoyFile DefensiveTechniqueNode;
class OperatingSystemFile ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; FileEncryption["File Encryption"] -->
| encrypts | OperatingSystemFile["Operating System File"];
FileEncryption["File Encryption"] -.->
| May Harden | T1055009["Proc Memory"] ;
class FileEncryption DefensiveTechniqueNode;
class OperatingSystemFile ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; RestoreFile["Restore File"] -->
| restores | OperatingSystemFile["Operating System File"];
RestoreFile["Restore File"] -.->
| May Restore | T1055009["Proc Memory"] ;
class RestoreFile DefensiveTechniqueNode;
class OperatingSystemFile ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; LocalFilePermissions["Local File Permissions"] -->
| restricts | OperatingSystemFile["Operating System File"];
LocalFilePermissions["Local File Permissions"] -.->
| May Harden | T1055009["Proc Memory"] ;
class LocalFilePermissions DefensiveTechniqueNode;
class OperatingSystemFile ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; FileAnalysis["File Analysis"] -->
| analyzes | OperatingSystemFile["Operating System File"];
FileAnalysis["File Analysis"] -.->
| May Detect | T1055009["Proc Memory"] ;
class FileAnalysis DefensiveTechniqueNode;
class OperatingSystemFile ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; SystemFileAnalysis["System File Analysis"] -->
| analyzes | OperatingSystemFile["Operating System File"];
SystemFileAnalysis["System File Analysis"] -.->
| May Detect | T1055009["Proc Memory"] ;
class SystemFileAnalysis DefensiveTechniqueNode;
class OperatingSystemFile ArtifactNode;
click SystemFileAnalysis href "/technique/d3f:SystemFileAnalysis";