Process injected into another process

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1055-process-injection

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detect usage of the ptrace systemcall to inject code into another process.

Strategy

The ptrace system call provides a means for one process to observe and control the execution of another process. This system call allows a process to modify the execution of another process, including changing memory and register values. Malicious actors have been observed using ptrace to inject code into another process, for the purposes of defense evasion and privilege escalation.

Triage and response

  1. Check the name of the process doing the injection (the tracer).
  2. Identify if the file doing the injection (the tracer) is authorized.
  3. If the tracer is not authorized in this environment, or is not normally known to use the ptrace syscall, contain the host or container and roll back to a known good configuration. Initiate the incident response process.

Requires Agent version 7.35 or greater

PREVIEWING: brett.blue/embedded-collector-release