Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
1 contributor

Users who have contributed to this file

44 lines (32 sloc) 1.57 KB

T1055 - Process Injection

Description from ATT&CK

Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.

Mac and Linux

Implementations for Linux and OS X/macOS systems include: (Citation: Datawire Code Injection) (Citation: Uninformed Needle)

  • LD_PRELOAD, LD_LIBRARY_PATH (Linux), DYLD_INSERT_LIBRARIES (Mac OS X) environment variables, or the dlfcn application programming interface (API) can be used to dynamically load a library (shared object) in a process which can be used to intercept API calls from the running process. (Citation: Phrack halfdead 1997)

How to Detect

Simulating the attack

echo #{path_to_shared_library} > /etc/ld.so.preload
echo /home/$USER/random.so > /etc/ld.so.preload

Data sources required to detect the attack

auditlogs (audit.rules)

bash_history logs

Splunk Queries to detect the attack

auditlogs(syscalls)

index=linux sourcetype=linux_audit preload_lib
Audit Rue to catch this
-w /etc/ld.so.preload -p wa -k preload_lib

bash_history

index=linux sourcetype="bash_history" ld.so.preload | table host,user_name,bash_command

Caution/Caveat

Note:

You can’t perform that action at this time.