Linux Process Running from /dev/shm RAM Disk Attack

The Linux RAM disk in /dev/shm is a favorite place for malware to hide. The RAM disk is not frequently checked and is volatile so the malware can be sure it leaves not traces on disk if the system reboots. In this video we go over this attack, how to find it with Sandfly agentless Linux EDR, and command line forensics you can use to help investigate what may be happening

Sandfly is able to find this and many other types of Linux attacks without deploying any endpoint agents. Get your free license today or contact us for more information.