Code Injection Detected Using Ptrace

Possible code injection into another process was detected. Code injection is an exploitation technique used to run malicious code, adversaries may use it in order to execute their malware.

MITRE ATT&CK

Defense Evasion: Ptrace System Calls

Go Source

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82


package main

import (
	"fmt"

	"github.com/aquasecurity/tracee/pkg/events/parsers"
	"github.com/aquasecurity/tracee/signatures/helpers"
	"github.com/aquasecurity/tracee/types/detect"
	"github.com/aquasecurity/tracee/types/protocol"
	"github.com/aquasecurity/tracee/types/trace"
)

type PtraceCodeInjection struct {
	cb             detect.SignatureHandler
	ptracePokeText int
	ptracePokeData int
}

func (sig *PtraceCodeInjection) Init(ctx detect.SignatureContext) error {
	sig.cb = ctx.Callback
	sig.ptracePokeText = int(parsers.PTRACE_POKETEXT.Value())
	sig.ptracePokeData = int(parsers.PTRACE_POKEDATA.Value())
	return nil
}

func (sig *PtraceCodeInjection) GetMetadata() (detect.SignatureMetadata, error) {
	return detect.SignatureMetadata{
		ID:          "TRC-103",
		Version:     "1",
		Name:        "Code injection detected using ptrace",
		EventName:   "ptrace_code_injection",
		Description: "Possible code injection into another process was detected. Code injection is an exploitation technique used to run malicious code, adversaries may use it in order to execute their malware.",
		Properties: map[string]interface{}{
			"Severity":             3,
			"Category":             "defense-evasion",
			"Technique":            "Ptrace System Calls",
			"Kubernetes_Technique": "",
			"id":                   "attack-pattern--ea016b56-ae0e-47fe-967a-cc0ad51af67f",
			"external_id":          "T1055.008",
		},
	}, nil
}

func (sig *PtraceCodeInjection) GetSelectedEvents() ([]detect.SignatureEventSelector, error) {
	return []detect.SignatureEventSelector{
		{Source: "tracee", Name: "ptrace", Origin: "*"},
	}, nil
}

func (sig *PtraceCodeInjection) OnEvent(event protocol.Event) error {
	eventObj, ok := event.Payload.(trace.Event)
	if !ok {
		return fmt.Errorf("invalid event")
	}

	switch eventObj.EventName {
	case "ptrace":
		requestArg, err := helpers.GetTraceeIntArgumentByName(eventObj, "request")
		if err != nil {
			return err
		}

		if requestArg == sig.ptracePokeText || requestArg == sig.ptracePokeData {
			metadata, err := sig.GetMetadata()
			if err != nil {
				return err
			}
			sig.cb(&detect.Finding{
				SigMetadata: metadata,
				Event:       event,
				Data:        nil,
			})
		}
	}

	return nil
}

func (sig *PtraceCodeInjection) OnSignal(s detect.Signal) error {
	return nil
}
func (sig *PtraceCodeInjection) Close() {}