Merge pull request #1 from skaynum/skaynum-patch-1

Create Rule to detect Linux Process Code Injection
skaynum · Nov 25, 2023 · c0c5d22 · c0c5d22
2 parents 2c24b24 + 024315f
commit c0c5d22
Showing 1 changed file with 27 additions and 0 deletions.
diff --git a/rules/linux/process_creation/proc_creation_lnx_dd_process_injection.yml b/rules/linux/process_creation/proc_creation_lnx_dd_process_injection.yml
@@ -0,0 +1,27 @@
+title: Possible Linux Process Code Injection
+id: 4cad6c64-d6df-42d6-8dae-eb78defdc415
+status: experimental
+description: This rule detects the injetion of code by overwriting the memory map of a linux process using the linux command dd.
+references:
+    - https://www.aon.com/cyber-solutions/aon_cyber_labs/linux-based-inter-process-code-injection-without-ptrace2/
+    - https://github.com/AonCyberLabs/Cexigua/blob/master/overwrite.sh
+    - https://attack.mitre.org/techniques/T1055/009/
+author: Joseph Kamau
+date: 2023/11/25
+tags:
+    - attack.defense_evasion
+    - attack.t1055.009
+logsource:
+    product: linux
+    category: process_creation
+detection:
+    selection:
+        Image|endswith: '/dd'
+        CommandLine|contains|all:
+            - 'of='
+            - '/proc/'
+            - '/mem'
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium