Detects ptrace-based process injection by correlating audit logs of ptrace syscalls, memory modifications (e.g., poketext, pokedata), and suspicious register manipulation on a target process not normally debugged by the originator. Alerts on processes attempting to ptrace non-child or privileged processes, especially those followed by abnormal memory or execution behavior.
| Data Component | Name | Channel |
|---|---|---|
| OS API Execution (DC0021) | auditd:SYSCALL | mmap, ptrace, process_vm_writev or direct memory ops |
| Process Creation (DC0032) | auditd:SYSCALL | execve |
| Process Metadata (DC0034) | linux:osquery | state=attached/debugged |
| Field | Description |
|---|---|
| TargetProcessNameFilter | List of sensitive or rarely-debugged processes (e.g., sshd, systemd, container daemons) to alert on if ptraced |
| TimeWindowBetweenPtraceAndMemoryWrite | Threshold time (e.g., <10 seconds) between ptrace attach and pokedata syscall |
| UserContextMismatch | Flag when UID of tracer differs from UID of target process (e.g., privilege escalation or container breakout) |
| ProcessRelationshipConstraint | Allowlist relationships (e.g., parent-child) under which ptrace is considered benign |