T1055.008 Ptrace System Calls Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// Detect ptrace-based process injection on Linux endpoints
// Monitor for ptrace system calls from non-debugger processes
Syslog
| where TimeGenerated > ago(24h)
| where Facility == "authpriv" or Facility == "auth" or Facility == "kern"
| where SyslogMessage has "ptrace" or SyslogMessage has "PTRACE"
| where SyslogMessage !has "gdb" and SyslogMessage !has "strace" and SyslogMessage !has "ltrace"
| project TimeGenerated, Computer, SyslogMessage, Facility, SeverityLevel
| sort by TimeGenerated desc

high severity medium confidence

Data Sources

Process: OS API Execution Process: Process Access Linux auditd Syslog

Required Tables

Syslog

False Positives

Software developers using gdb, strace, or ltrace for legitimate debugging
Container runtime tools (Docker, containerd) using ptrace for process namespace management
System administration tools performing ptrace for diagnostic purposes
Security scanners and vulnerability assessment tools that ptrace processes for analysis

Splunk

spl

index=linux sourcetype="linux:audit" type=SYSCALL syscall=101
| eval exe_name=mvindex(split(exe, "/"), -1)
| search NOT exe_name IN ("gdb", "strace", "ltrace", "valgrind", "perf", "dockerd", "containerd", "runc")
| eval ptrace_request=case(
    a0="0", "PTRACE_TRACEME",
    a0="1", "PTRACE_PEEKTEXT",
    a0="2", "PTRACE_PEEKDATA",
    a0="4", "PTRACE_POKETEXT",
    a0="5", "PTRACE_POKEDATA",
    a0="6", "PTRACE_CONT",
    a0="10" OR a0="16", "PTRACE_ATTACH",
    a0="11" OR a0="17", "PTRACE_DETACH",
    a0="d" OR a0="13", "PTRACE_SETREGS",
    a0="19" OR a0="25", "PTRACE_SEIZE",
    1=1, "PTRACE_OTHER_" . a0
)
| eval InjectionIndicator=if(match(ptrace_request, "(POKETEXT|POKEDATA|SETREGS|ATTACH|SEIZE)"), "High - Write/Modify capability", "Low - Read-only operation")
| table _time, host, auid, uid, exe, pid, ptrace_request, a1, InjectionIndicator
| sort - _time

high severity medium confidence

Data Sources

Process: OS API Execution Linux auditd syscall=101 (ptrace on x86_64)

Required Sourcetypes

linux:audit

False Positives

Developers using gdb/strace/ltrace for debugging
Container runtimes using ptrace for namespace operations
Performance profiling tools (perf, valgrind) using ptrace
Security scanning tools performing process analysis via ptrace

Elastic Security (EQL)

eql

process where host.os.type == "linux"
  and event.module == "auditd"
  and auditd.data.syscall == "ptrace"
  and auditd.data.a0 in ("4", "5", "d", "10", "13", "16", "19", "25")
  and not process.name in ("gdb", "strace", "ltrace", "valgrind", "perf", "dockerd", "containerd", "runc", "java", "py-spy")

high severity high confidence

Data Sources

Elastic Agent with Auditd integration (logs-auditd.log-*) Auditbeat with auditd module configured for syscall auditing Linux auditd with -a always,exit -F arch=b64 -S ptrace -k ptrace_injection rule

Required Tables

auditd-* .ds-logs-auditd.log-* .ds-logs-system.syslog-*

False Positives

Legitimate debuggers or IDE debug adapters installed to non-standard paths not matched by name exclusions (e.g., lldb, delve, rr, code-server debug shims)
JVM-based APM agents using the Attach API (com.sun.tools.attach) which internally uses ptrace on older kernel versions
Third-party EDR or AV agents that use ptrace for process introspection, memory scanning, or behavioral monitoring

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS SourceIP,
  "hostname" AS Hostname,
  username AS AuditUser,
  CASE
    WHEN UTF8(payload) LIKE '%a0=4 %'  THEN 'PTRACE_POKETEXT'
    WHEN UTF8(payload) LIKE '%a0=5 %'  THEN 'PTRACE_POKEDATA'
    WHEN UTF8(payload) LIKE '%a0=d %'
      OR UTF8(payload) LIKE '%a0=13 %' THEN 'PTRACE_SETREGS'
    WHEN UTF8(payload) LIKE '%a0=10 %'
      OR UTF8(payload) LIKE '%a0=16 %' THEN 'PTRACE_ATTACH'
    WHEN UTF8(payload) LIKE '%a0=19 %'
      OR UTF8(payload) LIKE '%a0=25 %' THEN 'PTRACE_SEIZE'
    ELSE 'PTRACE_OTHER'
  END AS PtraceOperation,
  CASE
    WHEN UTF8(payload) LIKE '%a0=4 %'
      OR UTF8(payload) LIKE '%a0=5 %'
      OR UTF8(payload) LIKE '%a0=d %'
      OR UTF8(payload) LIKE '%a0=10 %'
      OR UTF8(payload) LIKE '%a0=13 %'
      OR UTF8(payload) LIKE '%a0=16 %'
      OR UTF8(payload) LIKE '%a0=19 %'
      OR UTF8(payload) LIKE '%a0=25 %'
    THEN 'High - Write/Modify Capability'
    ELSE 'Low - Read-only'
  END AS InjectionRisk,
  UTF8(payload) AS RawLog
FROM events
WHERE LOGSOURCETYPEID IN (12, 296)
  AND (
    UTF8(payload) ILIKE '%syscall=101%'
    OR (UTF8(payload) ILIKE '%type=SYSCALL%' AND UTF8(payload) ILIKE '%ptrace%')
  )
  AND (
    UTF8(payload) LIKE '%a0=4 %'
    OR UTF8(payload) LIKE '%a0=5 %'
    OR UTF8(payload) LIKE '%a0=d %'
    OR UTF8(payload) LIKE '%a0=10 %'
    OR UTF8(payload) LIKE '%a0=13 %'
    OR UTF8(payload) LIKE '%a0=16 %'
    OR UTF8(payload) LIKE '%a0=19 %'
    OR UTF8(payload) LIKE '%a0=25 %'
  )
  AND UTF8(payload) NOT ILIKE '%exe="/usr/bin/gdb"%'
  AND UTF8(payload) NOT ILIKE '%exe="/usr/bin/strace"%'
  AND UTF8(payload) NOT ILIKE '%exe="/usr/bin/ltrace"%'
  AND UTF8(payload) NOT ILIKE '%exe="/usr/bin/valgrind"%'
  AND UTF8(payload) NOT ILIKE '%exe="/usr/bin/perf"%'
  AND UTF8(payload) NOT ILIKE '%exe="/usr/sbin/dockerd"%'
  AND UTF8(payload) NOT ILIKE '%exe="/usr/sbin/runc"%'
  LAST 24 HOURS
ORDER BY devicetime DESC

high severity medium confidence

Data Sources

QRadar Linux OS DSM (LOGSOURCETYPEID 12) via syslog from auditd QRadar Linux AUDIT DSM (LOGSOURCETYPEID 296) via auditd audisp-remote QRadar Universal DSM receiving Linux auditd SYSCALL records

Required Tables

events

False Positives

Legitimate debuggers installed to non-standard paths (e.g., /opt/devtools/bin/gdb) whose exe path does not match the hardcoded exclusions
CI/CD pipeline runner agents that spawn test harnesses using ptrace for coverage instrumentation (e.g., kcov, gcov)
Container orchestration tooling such as nsenter or criu (checkpoint/restore) that uses ptrace-like mechanisms for namespace entry or process migration

Sumo Logic CSE

sql

(_sourceCategory=linux/audit OR _sourceCategory=linux/auditd OR _sourceCategory=os/linux*)
| where _raw matches /type=SYSCALL/
| where _raw matches /syscall=101/ OR _raw matches /syscall=ptrace/
| parse "exe=\"*\"" as exe_path nodrop
| parse "pid=* " as caller_pid nodrop
| parse "a0=* " as ptrace_a0 nodrop
| parse "a1=* " as target_pid nodrop
| parse "auid=* " as audit_uid nodrop
| parse "uid=* " as uid nodrop
| where !(exe_path matches /\/(gdb|strace|ltrace|valgrind|perf|dockerd|containerd|runc|lldb|py-spy)$/)
| where ptrace_a0 in ("4", "5", "d", "10", "13", "16", "19", "25")
| eval ptrace_operation = if(ptrace_a0 == "4", "PTRACE_POKETEXT",
    if(ptrace_a0 == "5", "PTRACE_POKEDATA",
    if(ptrace_a0 matches /^(d|13)$/, "PTRACE_SETREGS",
    if(ptrace_a0 matches /^(10|16)$/, "PTRACE_ATTACH",
    if(ptrace_a0 matches /^(19|25)$/, "PTRACE_SEIZE", "PTRACE_OTHER")))))
| eval injection_risk = if(ptrace_operation in ("PTRACE_POKETEXT", "PTRACE_POKEDATA", "PTRACE_SETREGS", "PTRACE_ATTACH", "PTRACE_SEIZE"), "HIGH", "LOW")
| count by _sourceHost, exe_path, caller_pid, target_pid, audit_uid, uid, ptrace_operation, injection_risk
| sort by _count desc

high severity high confidence

Data Sources

Sumo Logic Installed Collector with Local File Source tailing /var/log/audit/audit.log Sumo Logic Cloud Syslog receiving auditd events via audisp-remote Sumo Logic Linux app with auditd source category configured

Required Tables

_sourceCategory=linux/audit _sourceCategory=linux/auditd _sourceCategory=os/linux*

False Positives

Custom internal debugging or tracing tools installed under unexpected binary names that bypass name-based exclusions
Java applications using the Attach API for dynamic instrumentation (e.g., Datadog, New Relic, Dynatrace agents attaching to JVM) which trigger PTRACE_ATTACH
Sanitizer-instrumented binaries (AddressSanitizer, ThreadSanitizer) running under test infrastructure that internally invoke ptrace for signal handling

Google Chronicle / SecOps

yaral

rule linux_ptrace_injection_t1055_008 {
  meta:
    author = "Detection Engineering"
    description = "Detects ptrace syscalls with write or attach capability on Linux endpoints indicating process injection - T1055.008"
    mitre_attack_technique = "T1055.008"
    mitre_attack_tactic = "Defense Evasion, Privilege Escalation"
    severity = "HIGH"
    confidence = "MEDIUM"
    reference = "https://attack.mitre.org/techniques/T1055/008/"

  events:
    // Chronicle normalizes Linux auditd PTRACE_ATTACH and PTRACE_SEIZE events
    // to PROCESS_OPEN in UDM when the Linux forwarder parses auditd SYSCALL records
    $e.metadata.event_type = "PROCESS_OPEN"
    $e.principal.process.pid > 0
    $e.target.process.pid > 0
    $e.principal.process.pid != $e.target.process.pid
    $e.principal.asset.platform_software.platform = "LINUX"
    $e.principal.process.file.full_path != ""
    not re.regex(
      $e.principal.process.file.full_path,
      `/(gdb|strace|ltrace|valgrind|perf|dockerd|containerd|runc|lldb|py-spy|rbspy)$`
    )

  condition:
    $e
}

high severity medium confidence

Data Sources

Chronicle SIEM with Linux auditd log ingestion via Chronicle Forwarder Chronicle UDM log type LINUX_SYSLOG or LINUX_AUDITD with auditd SYSCALL record parsing Chronicle with Google Cloud ops agent forwarding Linux audit events

Required Tables

UDM Events (event_type = PROCESS_OPEN from Linux endpoints)

False Positives

Legitimate profiling tools (e.g., py-spy, rbspy, async-profiler) that attach to running processes for performance analysis and are installed under unexpected paths
Service mesh sidecar or observability agents (e.g., eBPF-based tools with ptrace fallback) performing process enumeration or metric collection
Kubernetes ephemeral debug containers or kubectl debug sessions that invoke ptrace-based attach operations against pods on the same node

CrowdStrike LogScale (CQL)

cql

// Detect ptrace-based process injection on Linux via CrowdStrike Falcon telemetry
// Primary signal: Falcon ProcessInjection behavioral event on Linux platform
#event_simpleName = "ProcessInjection"
| where PlatformId = "15"  // 0x0F = Linux
| where SourceProcessId != TargetProcessId
| where not FileName in ["gdb", "strace", "ltrace", "valgrind", "perf", "dockerd", "containerd", "runc"]
| eval InjectionRisk = if(match(InjectionType, "(1|2|3)"), "High - Memory Write or Process Attach", "Medium - Other Injection")
| groupBy(
    [ComputerName, FileName, SourceProcessId, TargetProcessId, InjectionType, InjectionRisk, UserName],
    function=[
      count(as=EventCount),
      min(@timestamp, as=FirstSeen),
      max(@timestamp, as=LastSeen)
    ]
  )
| eval FirstSeenFmt  = formatTime("%Y-%m-%d %H:%M:%S", field=FirstSeen,  timezone="UTC")
| eval LastSeenFmt   = formatTime("%Y-%m-%d %H:%M:%S", field=LastSeen,   timezone="UTC")
| table [ComputerName, FileName, UserName, SourceProcessId, TargetProcessId, InjectionType, InjectionRisk, EventCount, FirstSeenFmt, LastSeenFmt]
| sort(EventCount, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon Linux sensor (kernel module or eBPF sensor, version 6.x+) Falcon Data Replicator (FDR) streaming to LogScale CrowdStrike Humio/LogScale with Falcon event pipeline integration

Required Tables

#event_simpleName = ProcessInjection (Falcon behavioral telemetry)

False Positives

Authorized red team or penetration testing tools running on in-scope Linux hosts that have not been configured with sensor exclusions
Third-party AV or EDR co-existence scenarios where another security agent uses ptrace for process monitoring and Falcon generates a ProcessInjection event for it
Certain container runtime implementations (e.g., rootless Podman with seccomp disabled) that use ptrace-like mechanisms for user namespace setup during container creation

Ptrace System Calls

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections