Linux Process Hooking via GDB

This rule monitors for potential memory dumping through gdb. Attackers may leverage memory dumping techniques to attempt secret extraction from privileged processes. Tools that display this behavior include "truffleproc" and "bash-memory-dump". This behavior should not happen by default, and should be investigated thoroughly.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2023/08/30"
 3integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"]
 4maturity = "production"
 5min_stack_version = "8.13.0"
 6min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
 7updated_date = "2025/01/15"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12This rule monitors for potential memory dumping through gdb. Attackers may leverage memory dumping techniques to attempt
13secret extraction from privileged processes. Tools that display this behavior include "truffleproc" and
14"bash-memory-dump". This behavior should not happen by default, and should be investigated thoroughly.
15"""
16from = "now-9m"
17index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Linux Process Hooking via GDB"
21references = ["https://github.com/controlplaneio/truffleproc", "https://github.com/hajzer/bash-memory-dump"]
22risk_score = 21
23rule_id = "66c058f3-99f4-4d18-952b-43348f2577a0"
24severity = "low"
25tags = [
26    "Domain: Endpoint",
27    "OS: Linux",
28    "Use Case: Threat Detection",
29    "Tactic: Credential Access",
30    "Data Source: Elastic Defend",
31    "Data Source: Elastic Endgame",
32    "Data Source: Auditd Manager",
33    "Data Source: Crowdstrike",
34    "Data Source: SentinelOne",
35    "Resources: Investigation Guide",
36]
37timestamp_override = "event.ingested"
38type = "eql"
39
40query = '''
41process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started")
42 and process.name == "gdb" and process.args in ("--pid", "-p") and
43/* Covered by d4ff2f53-c802-4d2e-9fb9-9ecc08356c3f */
44process.args != "1"
45'''
46note = """## Triage and analysis
47
48> **Disclaimer**:
49> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
50
51### Investigating Linux Process Hooking via GDB
52
53GDB, the GNU Debugger, is a powerful tool used for debugging applications by inspecting their memory and execution flow. Adversaries can exploit GDB to attach to running processes, potentially extracting sensitive information like credentials. The detection rule identifies suspicious use of GDB by monitoring process initiation with specific arguments, flagging potential unauthorized memory access attempts for further investigation.
54
55### Possible investigation steps
56
57- Review the process details to confirm the presence of GDB by checking if the process name is "gdb" and the arguments include "--pid" or "-p".
58- Identify the target process that GDB is attempting to attach to by examining the process arguments and cross-referencing the process ID.
59- Investigate the user account under which the GDB process is running to determine if it is authorized to perform debugging tasks on the target process.
60- Check the system logs and audit logs for any unusual activity or prior attempts to access sensitive processes or data around the time the GDB process was initiated.
61- Correlate the event with other security alerts or anomalies in the environment to assess if this is part of a broader attack pattern or isolated incident.
62- Evaluate the necessity and legitimacy of the GDB usage in the context of the system's normal operations and the user's role.
63- If unauthorized access is suspected, consider isolating the affected system and conducting a deeper forensic analysis to prevent potential data exfiltration.
64
65### False positive analysis
66
67- Development and debugging activities may trigger the rule when developers use GDB for legitimate purposes. To manage this, create exceptions for specific user accounts or development environments where GDB usage is expected.
68- Automated scripts or maintenance tasks that utilize GDB for process inspection can also cause false positives. Identify these scripts and exclude their execution paths or associated user accounts from the rule.
69- Security tools or monitoring solutions that use GDB for legitimate process analysis might be flagged. Verify these tools and whitelist their processes or execution contexts to prevent unnecessary alerts.
70- Training or educational environments where GDB is used for learning purposes can lead to false positives. Consider excluding these environments or specific user groups from the rule to avoid interference with educational activities.
71
72### Response and remediation
73
74- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration.
75- Terminate the GDB process if it is confirmed to be unauthorized, using process management tools to stop the process safely.
76- Conduct a memory dump analysis of the affected system to identify any potential data leakage or extraction of sensitive information.
77- Review system logs and audit trails to identify any additional unauthorized access attempts or related suspicious activities.
78- Change credentials for any accounts that may have been exposed or accessed during the incident to prevent unauthorized use.
79- Implement stricter access controls and monitoring for systems that handle sensitive information to prevent similar incidents.
80- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected."""
81
82
83[[rule.threat]]
84framework = "MITRE ATT&CK"
85[[rule.threat.technique]]
86id = "T1003"
87name = "OS Credential Dumping"
88reference = "https://attack.mitre.org/techniques/T1003/"
89[[rule.threat.technique.subtechnique]]
90id = "T1003.007"
91name = "Proc Filesystem"
92reference = "https://attack.mitre.org/techniques/T1003/007/"
93
94
95
96[rule.threat.tactic]
97id = "TA0006"
98name = "Credential Access"
99reference = "https://attack.mitre.org/tactics/TA0006/"
...
toml

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

GDB, the GNU Debugger, is a powerful tool used for debugging applications by inspecting their memory and execution flow. Adversaries can exploit GDB to attach to running processes, potentially extracting sensitive information like credentials. The detection rule identifies suspicious use of GDB by monitoring process initiation with specific arguments, flagging potential unauthorized memory access attempts for further investigation.

  • Review the process details to confirm the presence of GDB by checking if the process name is "gdb" and the arguments include "--pid" or "-p".
  • Identify the target process that GDB is attempting to attach to by examining the process arguments and cross-referencing the process ID.
  • Investigate the user account under which the GDB process is running to determine if it is authorized to perform debugging tasks on the target process.
  • Check the system logs and audit logs for any unusual activity or prior attempts to access sensitive processes or data around the time the GDB process was initiated.
  • Correlate the event with other security alerts or anomalies in the environment to assess if this is part of a broader attack pattern or isolated incident.
  • Evaluate the necessity and legitimacy of the GDB usage in the context of the system's normal operations and the user's role.
  • If unauthorized access is suspected, consider isolating the affected system and conducting a deeper forensic analysis to prevent potential data exfiltration.
  • Development and debugging activities may trigger the rule when developers use GDB for legitimate purposes. To manage this, create exceptions for specific user accounts or development environments where GDB usage is expected.
  • Automated scripts or maintenance tasks that utilize GDB for process inspection can also cause false positives. Identify these scripts and exclude their execution paths or associated user accounts from the rule.
  • Security tools or monitoring solutions that use GDB for legitimate process analysis might be flagged. Verify these tools and whitelist their processes or execution contexts to prevent unnecessary alerts.
  • Training or educational environments where GDB is used for learning purposes can lead to false positives. Consider excluding these environments or specific user groups from the rule to avoid interference with educational activities.
  • Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration.
  • Terminate the GDB process if it is confirmed to be unauthorized, using process management tools to stop the process safely.
  • Conduct a memory dump analysis of the affected system to identify any potential data leakage or extraction of sensitive information.
  • Review system logs and audit trails to identify any additional unauthorized access attempts or related suspicious activities.
  • Change credentials for any accounts that may have been exposed or accessed during the incident to prevent unauthorized use.
  • Implement stricter access controls and monitoring for systems that handle sensitive information to prevent similar incidents.
  • Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.

References

Related rules

to-top