Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1494: Analytic 1494

Detects adversary behavior where a process enumerates and modifies another process's memory using /proc/[pid]/maps and /proc/[pid]/mem files. This includes identifying gadgets via memory mappings and overwriting process memory via low-level file modification or dd usage.

EnterpriseAN1494AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because it focuses on a Linux behavior that can indicate direct tampering with a running process: reading another process's memory map through /proc/[pid]/maps and modifying memory through /proc/[pid]/mem, including via low-level file writes or dd. For security leaders, the decision value is whether Linux endpoint visibility is strong enough to show when one process is inspecting and altering another process, because this type of activity can affect incident containment, forensic confidence, and operational resilience on critical Linux systems.

Executive priority

Prioritize this as a Linux monitoring and incident-readiness question rather than as a standalone risk claim. Leaders should ask whether SOC and IR teams can identify suspicious cross-process memory access on Linux hosts, especially on servers supporting important business services. The business issue is evidence quality: if process-to-/proc access, command execution, and file write telemetry are not collected, responders may struggle to distinguish legitimate administration or debugging from unauthorized process manipulation.

Technical view

For SOC, detection engineering, and IR teams, validate visibility into Linux processes that access /proc/[pid]/maps and /proc/[pid]/mem, especially when one process enumerates memory mappings and then writes to another process's memory. The supplied ATT&CK object does not provide a detection query or tactic mapping, so teams should build validation around the described behavior: process creation, command-line arguments, file access to /proc paths, and evidence of low-level writes such as dd usage against /proc/[pid]/mem. Tuning should account for legitimate debugging, profiling, troubleshooting, and security tooling that may inspect process memory.

Likely telemetry

  • Linux process creation and command-line telemetry
  • File access telemetry for /proc/[pid]/maps and /proc/[pid]/mem
  • Audit or endpoint events showing read/write access to procfs paths
  • Evidence of dd or other low-level file modification utilities targeting /proc/[pid]/mem
  • User, parent process, and privilege context for processes accessing another process's memory

Detection direction

  • Validate that Linux telemetry captures both reads of /proc/[pid]/maps and writes to /proc/[pid]/mem, not only process starts.
  • Correlate memory-map enumeration followed by memory modification against the same target PID where telemetry allows.
  • Tune for known legitimate tools and workflows such as debugging, diagnostics, performance profiling, or approved security agents.
  • Prioritize anomalous parent-child process chains, unexpected users, unusual target processes, or access from non-administrative contexts.
  • Because no official detection logic is supplied, test detection assumptions in the local environment before treating alerts as high confidence.

Mitigation priorities

  • Restrict unnecessary administrative and debugging privileges on Linux systems.
  • Review which users, services, and tools have legitimate need to inspect or modify other process memory.
  • Ensure endpoint, audit, or EDR controls collect sufficient Linux procfs access and process execution evidence for investigation.
  • Harden critical Linux workloads using least privilege and operational change control so unusual memory access has clear ownership.
  • Document approved diagnostic tools and procedures to support SOC tuning and compliance evidence.
Analyst notes and limits

This Glexia take is based on the official ATT&CK analytic description for AN1494 only. The object is a detection analytic for Linux and describes behavior involving /proc/[pid]/maps and /proc/[pid]/mem. No tactics, relationships, aliases, labels, or official detection logic were supplied, so the recommendations focus on validation and telemetry coverage rather than a specific ATT&CK technique chain.

The source does not provide an official detection query, related techniques, threat actor context, active exploitation claims, or impact details. Local baselining is required to separate suspicious memory modification from legitimate Linux debugging and operational activity.

Official MITRE ATT&CK definition

Analytic 1494

Detects adversary behavior where a process enumerates and modifies another process's memory using /proc/[pid]/maps and /proc/[pid]/mem files. This includes identifying gadgets via memory mappings and overwriting process memory via low-level file modification or dd usage.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
3b8b498c312cce9e...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 3b8b498c312c…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1494
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use