Potential Linux Process Code Injection Via DD Utility
Detects the injection of code by overwriting the memory map of a Linux process using the "dd" Linux command.
Sigma rule (View on GitHub)
1title: Potential Linux Process Code Injection Via DD Utility
2id: 4cad6c64-d6df-42d6-8dae-eb78defdc415
3status: test
4description: Detects the injection of code by overwriting the memory map of a Linux process using the "dd" Linux command.
5references:
6 - https://www.aon.com/cyber-solutions/aon_cyber_labs/linux-based-inter-process-code-injection-without-ptrace2/
7 - https://github.com/AonCyberLabs/Cexigua/blob/34d338620afae4c6335ba8d8d499e1d7d3d5d7b5/overwrite.sh
8author: Joseph Kamau
9date: 2023-12-01
10tags:
11 - attack.defense-evasion
12 - attack.t1055.009
13logsource:
14 product: linux
15 category: process_creation
16detection:
17 selection:
18 Image|endswith: '/dd'
19 CommandLine|contains|all:
20 - 'of='
21 - '/proc/'
22 - '/mem'
23 condition: selection
24falsepositives:
25 - Unknown
26level: medium
References
-
Using the default permission settings found in most major Linux distributions it is possible for a user to gain code injection in a process, without using ptrace.
Read More -
Related rules
- Add Potential Suspicious New Download Source To Winget
- Arbitrary File Download Via IMEWDBLD.EXE
- Arbitrary File Download Via MSEDGE_PROXY.EXE
- Arbitrary File Download Via Squirrel.EXE
- Disable Internal Tools or Feature in Registry