← Back to Explore
sigmamediumHunting
Potential Linux Process Code Injection Via DD Utility
Detects the injection of code by overwriting the memory map of a Linux process using the "dd" Linux command.
Detection Query
selection:
Image|endswith: /dd
CommandLine|contains|all:
- of=
- /proc/
- /mem
condition: selection
Author
Joseph Kamau
Created
2023-12-01
Data Sources
linuxProcess Creation Events
Platforms
linux
References
Tags
attack.privilege-escalationattack.defense-evasionattack.t1055.009
Raw Content
title: Potential Linux Process Code Injection Via DD Utility
id: 4cad6c64-d6df-42d6-8dae-eb78defdc415
status: test
description: Detects the injection of code by overwriting the memory map of a Linux process using the "dd" Linux command.
references:
- https://www.aon.com/cyber-solutions/aon_cyber_labs/linux-based-inter-process-code-injection-without-ptrace2/
- https://github.com/AonCyberLabs/Cexigua/blob/34d338620afae4c6335ba8d8d499e1d7d3d5d7b5/overwrite.sh
author: Joseph Kamau
date: 2023-12-01
tags:
- attack.privilege-escalation
- attack.defense-evasion
- attack.t1055.009
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/dd'
CommandLine|contains|all:
- 'of='
- '/proc/'
- '/mem'
condition: selection
falsepositives:
- Unknown
level: medium