From 024315fe88711fdab774868802bf37fb66ef2040 Mon Sep 17 00:00:00 2001
From: skaynum <152009163+skaynum@users.noreply.github.com>
Date: Sat, 25 Nov 2023 17:53:53 +0300
Subject: [PATCH] Create Rule to detect Process Injection

This commit adds a new experimental rule that attempts to detect process injection by utilizing the dd command to inject malicious code in the process memory under /proc/mem
example provided in this project https://github.com/AonCyberLabs/Cexigua/blob/master/overwrite.sh
---
 ...proc_creation_lnx_dd_process_injection.yml | 27 +++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 rules/linux/process_creation/proc_creation_lnx_dd_process_injection.yml

diff --git a/rules/linux/process_creation/proc_creation_lnx_dd_process_injection.yml b/rules/linux/process_creation/proc_creation_lnx_dd_process_injection.yml
new file mode 100644
index 00000000000..f06e08f3b06
--- /dev/null
+++ b/rules/linux/process_creation/proc_creation_lnx_dd_process_injection.yml
@@ -0,0 +1,27 @@
+title: Possible Linux Process Code Injection
+id: 4cad6c64-d6df-42d6-8dae-eb78defdc415
+status: experimental
+description: This rule detects the injetion of code by overwriting the memory map of a linux process using the linux command dd.
+references:
+    - https://www.aon.com/cyber-solutions/aon_cyber_labs/linux-based-inter-process-code-injection-without-ptrace2/
+    - https://github.com/AonCyberLabs/Cexigua/blob/master/overwrite.sh
+    - https://attack.mitre.org/techniques/T1055/009/
+author: Joseph Kamau
+date: 2023/11/25
+tags:
+    - attack.defense_evasion
+    - attack.t1055.009
+logsource:
+    product: linux
+    category: process_creation
+detection:
+    selection:
+        Image|endswith: '/dd'
+        CommandLine|contains|all:
+            - 'of='
+            - '/proc/'
+            - '/mem'
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium