Query Details

Rule: Detection of Ptrace System Call (PTraceDetected)

Ptrace Detected

Query

DeviceEvents 
| where ActionType == "PTraceDetected"

About this query

Rule: Detection of Ptrace System Call (PTraceDetected)

Description

This detection rule identifies the usage of the ptrace system call on Linux systems. The ptrace system call is used by debuggers and other programs to observe and control the execution of another process. While ptrace is a legitimate tool, it can also be misused by attackers for various malicious activities such as process injection, code execution, and obtaining sensitive information from other processes.

This rule monitors for events where the ptrace system call is detected. Unauthorized use of ptrace can indicate attempts to hijack or manipulate running processes.

Detection Logic

  • Monitors DeviceEvents for events where:
    • The ActionType is "PTraceDetected".

Tags

  • Process Injection
  • ptrace
  • Linux Security
  • Suspicious Activity
  • MITRE T1055.008

Search Query

Explanation

This query is designed to detect the use of the ptrace system call on Linux systems. The ptrace system call is typically used by debuggers to monitor and control the execution of other processes, but it can also be exploited by attackers for malicious purposes such as injecting code into processes, executing unauthorized code, or extracting sensitive information.

The query specifically looks for events in the DeviceEvents table where the ActionType is "PTraceDetected". This helps identify any unauthorized or suspicious use of ptrace, which could indicate potential security threats.

Key Points:

  • Purpose: Detects the use of the ptrace system call.
  • Context: ptrace can be used legitimately by debuggers but also maliciously by attackers.
  • Detection: Monitors DeviceEvents for the action type "PTraceDetected".
  • Relevance: Helps identify potential process injection and other suspicious activities on Linux systems.
  • Tags: Process Injection, ptrace, Linux Security, Suspicious Activity, MITRE T1055.008.

Details

Ali Hussein profile picture

Ali Hussein

Released: July 8, 2024

Tables

DeviceEvents

Keywords

DeviceEventsProcessInjectionPtraceLinuxSecuritySuspiciousActivityMITRE

Operators

`|``where``==`

MITRE Techniques

Actions

GitHub