Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create Rule to detect Linux Process Code Injection #4592

Merged
merged 4 commits into from
Dec 1, 2023
Merged

Create Rule to detect Linux Process Code Injection #4592

merged 4 commits into from
Dec 1, 2023

Conversation

skaynum
Copy link
Contributor

@skaynum skaynum commented Nov 25, 2023
edited by nasbench
Loading

Summary of the Pull Request

This commit adds a new experimental rule that attempts to detect process injection by utilizing the dd command to inject malicious code in the process memory under /proc/mem example provided in this project https://github.com/AonCyberLabs/Cexigua/blob/master/overwrite.sh

Changelog

new: Potential Linux Process Code Injection Via DD Utility

Example Log Event

dd if=payload.bin of=/proc/${PID}/mem

Fixed Issues

N/A

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

@skaynum
Create Rule to detect Process Injection
024315f 
This commit adds a new experimental rule that attempts to detect process injection by utilizing the dd command to inject malicious code in the process memory under /proc/mem
example provided in this project https://github.com/AonCyberLabs/Cexigua/blob/master/overwrite.sh
@skaynum
Merge pull request #1 from skaynum/skaynum-patch-1
c0c5d22 
Create Rule to detect Linux Process Code Injection
@github-actions github-actions bot added Rules Linux Pull request add/update linux related rules labels Nov 25, 2023
@skaynum skaynum requested a review from frack113 November 29, 2023 18:56
@frack113 frack113 requested a review from nasbench November 30, 2023 05:47
@nasbench nasbench added the Work In Progress Some changes are needed label Nov 30, 2023
@nasbench nasbench removed the Work In Progress Some changes are needed label Dec 1, 2023
@nasbench nasbench requested a review from phantinuss December 1, 2023 00:03
@nasbench nasbench added the 2nd Review Needed PR need a second approval label Dec 1, 2023
@phantinuss phantinuss merged commit fade537 into SigmaHQ:master Dec 1, 2023
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nasbench nasbench nasbench approved these changes

@frack113 frack113 frack113 approved these changes

@phantinuss phantinuss phantinuss approved these changes

Assignees
No one assigned
Labels
2nd Review Needed PR need a second approval Linux Pull request add/update linux related rules Rules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@skaynum @nasbench @frack113 @phantinuss