Potential Linux Process Code Injection Via DD Utility

Dec 1, 2023 · attack.defense_evasion attack.t1055.009 ·

Detects the injection of code by overwriting the memory map of a Linux process using the "dd" Linux command.

Sigma rule (View on GitHub)

 1title: Potential Linux Process Code Injection Via DD Utility
 2id: 4cad6c64-d6df-42d6-8dae-eb78defdc415
 3status: experimental
 4description: Detects the injection of code by overwriting the memory map of a Linux process using the "dd" Linux command.
 5references:
 6    - https://www.aon.com/cyber-solutions/aon_cyber_labs/linux-based-inter-process-code-injection-without-ptrace2/
 7    - https://github.com/AonCyberLabs/Cexigua/blob/34d338620afae4c6335ba8d8d499e1d7d3d5d7b5/overwrite.sh
 8author: Joseph Kamau
 9date: 2023/12/01
10tags:
11    - attack.defense_evasion
12    - attack.t1055.009
13logsource:
14    product: linux
15    category: process_creation
16detection:
17    selection:
18        Image|endswith: '/dd'
19        CommandLine|contains|all:
20            - 'of='
21            - '/proc/'
22            - '/mem'
23    condition: selection
24falsepositives:
25    - Unknown
26level: medium

References

Linux Based Inter-Process Code Injection Without Ptrace(2) | Aon

Using the default permission settings found in most major Linux distributions it is possible for a user to gain code injection in a process, without using ptrace.

Read More
Cexigua/overwrite.sh at 34d338620afae4c6335ba8d8d499e1d7d3d5d7b5 · AonCyberLabs/Cexigua

Linux based inter-process code injection without ptrace(2) - AonCyberLabs/Cexigua

Read More

Potential Linux Process Code Injection Via DD Utility

Sigma rule (View on GitHub)

References

Linux Based Inter-Process Code Injection Without Ptrace(2) | Aon

Cexigua/overwrite.sh at 34d338620afae4c6335ba8d8d499e1d7d3d5d7b5 · AonCyberLabs/Cexigua

Related rules