DET0203 Detection Strategy for Ptrace-Based Process Injection on Linux

Item	Value
ID	DET0203
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1055.008 (Ptrace System Calls)

Analytics

Linux

AN0579

Detects ptrace-based process injection by correlating audit logs of ptrace syscalls, memory modifications (e.g., poketext, pokedata), and suspicious register manipulation on a target process not normally debugged by the originator. Alerts on processes attempting to ptrace non-child or privileged processes, especially those followed by abnormal memory or execution behavior.

Log Sources

Data Component	Name	Channel
OS API Execution (DC0021)	auditd:SYSCALL	mmap, ptrace, process_vm_writev or direct memory ops
Process Creation (DC0032)	auditd:SYSCALL	execve
Process Metadata (DC0034)	linux:osquery	state=attached/debugged

Mutable Elements

Field	Description
TargetProcessNameFilter	List of sensitive or rarely-debugged processes (e.g., sshd, systemd, container daemons) to alert on if ptraced
TimeWindowBetweenPtraceAndMemoryWrite	Threshold time (e.g., <10 seconds) between ptrace attach and pokedata syscall
UserContextMismatch	Flag when UID of tracer differs from UID of target process (e.g., privilege escalation or container breakout)
ProcessRelationshipConstraint	Allowlist relationships (e.g., parent-child) under which ptrace is considered benign