Potential Linux Process Code Injection Via DD Utility

Oct 23, 2025 · attack.privilege-escalation attack.defense-evasion attack.t1055.009 ·

Detects the injection of code by overwriting the memory map of a Linux process using the "dd" Linux command.

Sigma rule (View on GitHub)

 1title: Potential Linux Process Code Injection Via DD Utility
 2id: 4cad6c64-d6df-42d6-8dae-eb78defdc415
 3status: test
 4description: Detects the injection of code by overwriting the memory map of a Linux process using the "dd" Linux command.
 5references:
 6    - https://www.aon.com/cyber-solutions/aon_cyber_labs/linux-based-inter-process-code-injection-without-ptrace2/
 7    - https://github.com/AonCyberLabs/Cexigua/blob/34d338620afae4c6335ba8d8d499e1d7d3d5d7b5/overwrite.sh
 8author: Joseph Kamau
 9date: 2023-12-01
10tags:
11    - attack.privilege-escalation
12    - attack.defense-evasion
13    - attack.t1055.009
14logsource:
15    product: linux
16    category: process_creation
17detection:
18    selection:
19        Image|endswith: '/dd'
20        CommandLine|contains|all:
21            - 'of='
22            - '/proc/'
23            - '/mem'
24    condition: selection
25falsepositives:
26    - Unknown
27level: medium

References

https://www.aon.com/cyber-solutions/aon_cyber_labs/linux-based-inter-process-code-injection-without-ptrace2/

Read More
Cexigua/overwrite.sh at 34d338620afae4c6335ba8d8d499e1d7d3d5d7b5 · AonCyberLabs/Cexigua

Linux based inter-process code injection without ptrace(2) - AonCyberLabs/Cexigua

Read More

Potential Linux Process Code Injection Via DD Utility

Sigma rule (View on GitHub)

References

https://www.aon.com/cyber-solutions/aon_cyber_labs/linux-based-inter-process-code-injection-without-ptrace2/

Cexigua/overwrite.sh at 34d338620afae4c6335ba8d8d499e1d7d3d5d7b5 · AonCyberLabs/Cexigua

Related rules