Code Injection Detected Through Proc <PID> Mem File

HIGH
Source
Tracee
ID
TRC-1024
Version
1
Date
10 Dec 2024

Code Injection Detected Through Proc Mem File

Possible code injection into another process was detected. Code injection is an exploitation technique used to run malicious code, adversaries may use it in order to execute their malware.

MITRE ATT&CK

Defense Evasion: Proc Memory

Go Source

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
package main

import (
	"fmt"
	"regexp"

	"github.com/aquasecurity/tracee/signatures/helpers"
	"github.com/aquasecurity/tracee/types/detect"
	"github.com/aquasecurity/tracee/types/protocol"
	"github.com/aquasecurity/tracee/types/trace"
)

type ProcMemCodeInjection struct {
	cb                 detect.SignatureHandler
	procMemPathPattern string
	compiledRegex      *regexp.Regexp
}

func (sig *ProcMemCodeInjection) Init(ctx detect.SignatureContext) error {
	var err error
	sig.cb = ctx.Callback
	sig.procMemPathPattern = `/proc/(?:\d.+)/mem$`
	sig.compiledRegex, err = regexp.Compile(sig.procMemPathPattern)
	return err
}

func (sig *ProcMemCodeInjection) GetMetadata() (detect.SignatureMetadata, error) {
	return detect.SignatureMetadata{
		ID:          "TRC-1024",
		Version:     "1",
		Name:        "Code injection detected through /proc/<pid>/mem file",
		EventName:   "proc_mem_code_injection",
		Description: "Possible code injection into another process was detected. Code injection is an exploitation technique used to run malicious code, adversaries may use it in order to execute their malware.",
		Properties: map[string]interface{}{
			"Severity":             3,
			"Category":             "defense-evasion",
			"Technique":            "Proc Memory",
			"Kubernetes_Technique": "",
			"id":                   "attack-pattern--d201d4cc-214d-4a74-a1ba-b3fa09fd4591",
			"external_id":          "T1055.009",
		},
	}, nil
}

func (sig *ProcMemCodeInjection) GetSelectedEvents() ([]detect.SignatureEventSelector, error) {
	return []detect.SignatureEventSelector{
		{Source: "tracee", Name: "security_file_open", Origin: "*"},
	}, nil
}

func (sig *ProcMemCodeInjection) OnEvent(event protocol.Event) error {
	eventObj, ok := event.Payload.(trace.Event)
	if !ok {
		return fmt.Errorf("invalid event")
	}

	switch eventObj.EventName {
	case "security_file_open":
		pathname, err := helpers.GetTraceeStringArgumentByName(eventObj, "pathname")
		if err != nil {
			return err
		}

		flags, err := helpers.GetTraceeIntArgumentByName(eventObj, "flags")
		if err != nil {
			return err
		}

		if helpers.IsFileWrite(flags) && sig.compiledRegex.MatchString(pathname) {
			metadata, err := sig.GetMetadata()
			if err != nil {
				return err
			}
			sig.cb(&detect.Finding{
				SigMetadata: metadata,
				Event:       event,
				Data:        nil,
			})
		}
	}

	return nil
}

func (sig *ProcMemCodeInjection) OnSignal(s detect.Signal) error {
	return nil
}
func (sig *ProcMemCodeInjection) Close() {}