T1055.008 CrowdStrike LogScale · LogScale

Detect Ptrace System Calls in CrowdStrike LogScale

Adversaries may inject malicious code into processes via ptrace (process trace) system calls in order to evade process-based defenses as well as possibly elevate privileges. Ptrace system call injection involves attaching to and modifying a running process. The ptrace system call enables a debugging process to observe and control another process (and each individual thread), including changing memory and register values. Ptrace system call injection is commonly performed by writing arbitrary code into a running process (ex: malloc) then invoking that memory with PTRACE_SETREGS to set the register containing the next instruction to execute. Ptrace system call injection can also be done with PTRACE_POKETEXT/PTRACE_POKEDATA, which copy data to a specific address in the target processes' memory.

MITRE ATT&CK

Tactic
Defense Evasion Privilege Escalation
Technique
T1055 Process Injection
Sub-technique
T1055.008 Ptrace System Calls
Canonical reference
https://attack.mitre.org/techniques/T1055/008/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
// Detect ptrace-based process injection on Linux via CrowdStrike Falcon telemetry
// Primary signal: Falcon ProcessInjection behavioral event on Linux platform
#event_simpleName = "ProcessInjection"
| where PlatformId = "15"  // 0x0F = Linux
| where SourceProcessId != TargetProcessId
| where not FileName in ["gdb", "strace", "ltrace", "valgrind", "perf", "dockerd", "containerd", "runc"]
| eval InjectionRisk = if(match(InjectionType, "(1|2|3)"), "High - Memory Write or Process Attach", "Medium - Other Injection")
| groupBy(
    [ComputerName, FileName, SourceProcessId, TargetProcessId, InjectionType, InjectionRisk, UserName],
    function=[
      count(as=EventCount),
      min(@timestamp, as=FirstSeen),
      max(@timestamp, as=LastSeen)
    ]
  )
| eval FirstSeenFmt  = formatTime("%Y-%m-%d %H:%M:%S", field=FirstSeen,  timezone="UTC")
| eval LastSeenFmt   = formatTime("%Y-%m-%d %H:%M:%S", field=LastSeen,   timezone="UTC")
| table [ComputerName, FileName, UserName, SourceProcessId, TargetProcessId, InjectionType, InjectionRisk, EventCount, FirstSeenFmt, LastSeenFmt]
| sort(EventCount, order=desc)
high severity medium confidence

Detects process injection events on Linux endpoints via CrowdStrike Falcon's ProcessInjection telemetry, which the Falcon sensor generates when it observes ptrace-based memory write or process attach operations (PTRACE_POKETEXT, PTRACE_POKEDATA, PTRACE_SETREGS, PTRACE_ATTACH, PTRACE_SEIZE). Groups events by source/target process pair to surface repeated injection patterns from a single actor. PlatformId 15 (0x0F) scopes results to Linux hosts only. InjectionType values 1-3 correspond to Falcon's classification of memory-write and attach primitives.

Data Sources

CrowdStrike Falcon Linux sensor (kernel module or eBPF sensor, version 6.x+)Falcon Data Replicator (FDR) streaming to LogScaleCrowdStrike Humio/LogScale with Falcon event pipeline integration

Required Tables

#event_simpleName = ProcessInjection (Falcon behavioral telemetry)

False Positives & Tuning

  • Authorized red team or penetration testing tools running on in-scope Linux hosts that have not been configured with sensor exclusions
  • Third-party AV or EDR co-existence scenarios where another security agent uses ptrace for process monitoring and Falcon generates a ProcessInjection event for it
  • Certain container runtime implementations (e.g., rootless Podman with seccomp disabled) that use ptrace-like mechanisms for user namespace setup during container creation
Download portable Sigma rule (.yml)

Other platforms for T1055.008

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Ptrace Attachment via strace

    Expected signal: auditd: SYSCALL type with syscall=101, a0=16 (PTRACE_ATTACH), a1=<target_pid>, exe=/usr/bin/strace. /proc/<target_pid>/status will show TracerPid=<strace_pid> while attached.

  2. Test 2Ptrace Memory Read via /proc/pid/mem

    Expected signal: auditd: open() syscall on /proc/<pid>/maps. If ptrace is used: SYSCALL with syscall=101. The /proc/pid/maps read itself may be logged by auditd file access rules.

  3. Test 3Check ptrace_scope Kernel Setting

    Expected signal: No security telemetry — this is a configuration check. The output shows the current ptrace restriction level.

Last updated: 2026-04-16 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1055.008 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1055Process Injection

Related Sub-techniques

T1055.001Dynamic-link Library InjectionT1055.002Portable Executable InjectionT1055.003Thread Execution HijackingT1055.004Asynchronous Procedure CallT1055.005Thread Local StorageT1055.009Proc MemoryT1055.011Extra Window Memory InjectionT1055.012Process HollowingT1055.013Process DoppelgangingT1055.014VDSO HijackingT1055.015ListPlanting

Related Techniques

T1055Process InjectionT1055.009Proc MemoryT1055.014VDSO HijackingT1003.007Proc FilesystemT1014Rootkit

Same Tactic: Defense Evasion

Popular Detections