KQL Search

Query Details

HomeAI ToolsDevice Query

Ptrace Detected

Query

# Rule: Detection of Ptrace System Call (PTraceDetected)

## Description
This detection rule identifies the usage of the `ptrace` system call on Linux systems. The `ptrace` system call is used by debuggers and other programs to observe and control the execution of another process. While `ptrace` is a legitimate tool, it can also be misused by attackers for various malicious activities such as process injection, code execution, and obtaining sensitive information from other processes.

This rule monitors for events where the `ptrace` system call is detected. Unauthorized use of `ptrace` can indicate attempts to hijack or manipulate running processes.

- [MITRE ATT&CK Technique T1055.008: Process Injection - Ptrace System Calls](https://attack.mitre.org/techniques/T1055/008/)

## Detection Logic
- Monitors `DeviceEvents` for events where:
  - The `ActionType` is "PTraceDetected".

## Tags
- Process Injection
- ptrace
- Linux Security
- Suspicious Activity
- MITRE T1055.008

## Search Query
```kql
DeviceEvents 
| where ActionType == "PTraceDetected"

Explanation

This query is designed to detect the use of the ptrace system call on Linux systems. The ptrace system call is typically used by debuggers to monitor and control the execution of other processes, but it can also be exploited by attackers for malicious purposes such as injecting code into processes, executing unauthorized code, or extracting sensitive information.

The query specifically looks for events in the DeviceEvents table where the ActionType is "PTraceDetected". This helps identify any unauthorized or suspicious use of ptrace, which could indicate potential security threats.

Key Points:

  • Purpose: Detects the use of the ptrace system call.
  • Context: ptrace can be used legitimately by debuggers but also maliciously by attackers.
  • Detection: Monitors DeviceEvents for the action type "PTraceDetected".
  • Relevance: Helps identify potential process injection and other suspicious activities on Linux systems.
  • Tags: Process Injection, ptrace, Linux Security, Suspicious Activity, MITRE T1055.008.

Details

Ali Hussein profile picture

Ali Hussein

Released: July 8, 2024

Tables

DeviceEvents

Keywords

DeviceEventsProcessInjectionPtraceLinuxSecuritySuspiciousActivityMITRE

Operators

`|``where``==`

Actions