HIGH
Source
Tracee
ID
TRC-3
Version
0.1.0
Date
28 Jun 2022

Code Injection

Possible code injection into another process

MITRE ATT&CK

Defense Evasion: Process Injection

Rego Policy

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
package tracee.TRC_3

import data.tracee.helpers

__rego_metadoc__ := {
	"id": "TRC-3",
	"version": "0.1.0",
	"name": "Code injection",
	"description": "Possible code injection into another process",
	"tags": ["linux", "container"],
	"properties": {
		"Severity": 3,
		"MITRE ATT&CK": "Defense Evasion: Process Injection",
	},
}

eventSelectors := [
	{
		"source": "tracee",
		"name": "ptrace",
	},
	{
		"source": "tracee",
		"name": "security_file_open",
	},
	{
		"source": "tracee",
		"name": "process_vm_writev",
	},
]

tracee_selected_events[eventSelector] {
	eventSelector := eventSelectors[_]
}

tracee_match {
	input.eventName == "ptrace"
	arg_value = helpers.get_tracee_argument("request")
	arg_value == "PTRACE_POKETEXT"
}

tracee_match = res {
	input.eventName == "security_file_open"
	flags = helpers.get_tracee_argument("flags")

	helpers.is_file_write(flags)

	pathname := helpers.get_tracee_argument("pathname")

	regex.match(`/proc/(?:\d.+|self)/mem`, pathname)

	res := {
		"file flags": flags,
		"file path": pathname,
	}
}

tracee_match {
	input.eventName == "process_vm_writev"
	dst_pid = helpers.get_tracee_argument("pid")
	dst_pid != input.processId
}