Rule: Detection of Ptrace System Call (PTraceDetected)
Ptrace Detected
Query
DeviceEvents
| where ActionType == "PTraceDetected"About this query
Rule: Detection of Ptrace System Call (PTraceDetected)
Description
This detection rule identifies the usage of the ptrace system call on Linux systems. The ptrace system call is used by debuggers and other programs to observe and control the execution of another process. While ptrace is a legitimate tool, it can also be misused by attackers for various malicious activities such as process injection, code execution, and obtaining sensitive information from other processes.
This rule monitors for events where the ptrace system call is detected. Unauthorized use of ptrace can indicate attempts to hijack or manipulate running processes.
Detection Logic
- Monitors
DeviceEventsfor events where:- The
ActionTypeis "PTraceDetected".
- The
Tags
- Process Injection
- ptrace
- Linux Security
- Suspicious Activity
- MITRE T1055.008
Search Query
Explanation
This query is designed to detect the use of the ptrace system call on Linux systems. The ptrace system call is typically used by debuggers to monitor and control the execution of other processes, but it can also be exploited by attackers for malicious purposes such as injecting code into processes, executing unauthorized code, or extracting sensitive information.
The query specifically looks for events in the DeviceEvents table where the ActionType is "PTraceDetected". This helps identify any unauthorized or suspicious use of ptrace, which could indicate potential security threats.
Key Points:
- Purpose: Detects the use of the
ptracesystem call. - Context:
ptracecan be used legitimately by debuggers but also maliciously by attackers. - Detection: Monitors
DeviceEventsfor the action type "PTraceDetected". - Relevance: Helps identify potential process injection and other suspicious activities on Linux systems.
- Tags: Process Injection, ptrace, Linux Security, Suspicious Activity, MITRE T1055.008.
