Process injected into another process

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1055-process-injection

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect usage of the ptrace systemcall to inject code into another process.

Strategy

The ptrace system call provides a means for one process to observe and control the execution of another process. This system call allows a process to modify the execution of another process, including changing memory and register values. Malicious actors have been observed using ptrace to inject code into another process, for the purposes of defense evasion and privilege escalation.

Triage and response

  1. Check the name of the process doing the injection (the tracer).
  2. Identify if the file doing the injection (the tracer) is authorized.
  3. If the tracer is not authorized in this environment, or is not normally known to use the ptrace syscall, contain the host or container and roll back to a known good configuration. Initiate the incident response process.

Requires Agent version 7.35 or greater