Detect Ptrace System Calls in IBM QRadar
Adversaries may inject malicious code into processes via ptrace (process trace) system calls in order to evade process-based defenses as well as possibly elevate privileges. Ptrace system call injection involves attaching to and modifying a running process. The ptrace system call enables a debugging process to observe and control another process (and each individual thread), including changing memory and register values. Ptrace system call injection is commonly performed by writing arbitrary code into a running process (ex: malloc) then invoking that memory with PTRACE_SETREGS to set the register containing the next instruction to execute. Ptrace system call injection can also be done with PTRACE_POKETEXT/PTRACE_POKEDATA, which copy data to a specific address in the target processes' memory.
MITRE ATT&CK
- Technique
- T1055 Process Injection
- Sub-technique
- T1055.008 Ptrace System Calls
- Canonical reference
- https://attack.mitre.org/techniques/T1055/008/
QRadar Detection Query
SELECT
DATEFORMAT(devicetime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
sourceip AS SourceIP,
"hostname" AS Hostname,
username AS AuditUser,
CASE
WHEN UTF8(payload) LIKE '%a0=4 %' THEN 'PTRACE_POKETEXT'
WHEN UTF8(payload) LIKE '%a0=5 %' THEN 'PTRACE_POKEDATA'
WHEN UTF8(payload) LIKE '%a0=d %'
OR UTF8(payload) LIKE '%a0=13 %' THEN 'PTRACE_SETREGS'
WHEN UTF8(payload) LIKE '%a0=10 %'
OR UTF8(payload) LIKE '%a0=16 %' THEN 'PTRACE_ATTACH'
WHEN UTF8(payload) LIKE '%a0=19 %'
OR UTF8(payload) LIKE '%a0=25 %' THEN 'PTRACE_SEIZE'
ELSE 'PTRACE_OTHER'
END AS PtraceOperation,
CASE
WHEN UTF8(payload) LIKE '%a0=4 %'
OR UTF8(payload) LIKE '%a0=5 %'
OR UTF8(payload) LIKE '%a0=d %'
OR UTF8(payload) LIKE '%a0=10 %'
OR UTF8(payload) LIKE '%a0=13 %'
OR UTF8(payload) LIKE '%a0=16 %'
OR UTF8(payload) LIKE '%a0=19 %'
OR UTF8(payload) LIKE '%a0=25 %'
THEN 'High - Write/Modify Capability'
ELSE 'Low - Read-only'
END AS InjectionRisk,
UTF8(payload) AS RawLog
FROM events
WHERE LOGSOURCETYPEID IN (12, 296)
AND (
UTF8(payload) ILIKE '%syscall=101%'
OR (UTF8(payload) ILIKE '%type=SYSCALL%' AND UTF8(payload) ILIKE '%ptrace%')
)
AND (
UTF8(payload) LIKE '%a0=4 %'
OR UTF8(payload) LIKE '%a0=5 %'
OR UTF8(payload) LIKE '%a0=d %'
OR UTF8(payload) LIKE '%a0=10 %'
OR UTF8(payload) LIKE '%a0=13 %'
OR UTF8(payload) LIKE '%a0=16 %'
OR UTF8(payload) LIKE '%a0=19 %'
OR UTF8(payload) LIKE '%a0=25 %'
)
AND UTF8(payload) NOT ILIKE '%exe="/usr/bin/gdb"%'
AND UTF8(payload) NOT ILIKE '%exe="/usr/bin/strace"%'
AND UTF8(payload) NOT ILIKE '%exe="/usr/bin/ltrace"%'
AND UTF8(payload) NOT ILIKE '%exe="/usr/bin/valgrind"%'
AND UTF8(payload) NOT ILIKE '%exe="/usr/bin/perf"%'
AND UTF8(payload) NOT ILIKE '%exe="/usr/sbin/dockerd"%'
AND UTF8(payload) NOT ILIKE '%exe="/usr/sbin/runc"%'
LAST 24 HOURS
ORDER BY devicetime DESCDetects ptrace syscall (kernel syscall number 101 on x86_64) with injection-capable request types from Linux auditd events in QRadar. Operates against LOGSOURCETYPEID 12 (Linux OS DSM) and 296 (Linux AUDIT DSM). Parses the raw payload to identify the ptrace request type from the a0 argument field (hex-encoded) and classifies injection risk. Excludes known legitimate debugger executables by matching their full exe path in the audit record.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate debuggers installed to non-standard paths (e.g., /opt/devtools/bin/gdb) whose exe path does not match the hardcoded exclusions
- CI/CD pipeline runner agents that spawn test harnesses using ptrace for coverage instrumentation (e.g., kcov, gcov)
- Container orchestration tooling such as nsenter or criu (checkpoint/restore) that uses ptrace-like mechanisms for namespace entry or process migration
Other platforms for T1055.008
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Ptrace Attachment via strace
Expected signal: auditd: SYSCALL type with syscall=101, a0=16 (PTRACE_ATTACH), a1=<target_pid>, exe=/usr/bin/strace. /proc/<target_pid>/status will show TracerPid=<strace_pid> while attached.
- Test 2Ptrace Memory Read via /proc/pid/mem
Expected signal: auditd: open() syscall on /proc/<pid>/maps. If ptrace is used: SYSCALL with syscall=101. The /proc/pid/maps read itself may be logged by auditd file access rules.
- Test 3Check ptrace_scope Kernel Setting
Expected signal: No security telemetry — this is a configuration check. The output shows the current ptrace restriction level.
References (5)
- https://attack.mitre.org/techniques/T1055/008/
- http://man7.org/linux/man-pages/man2/ptrace.2.html
- https://medium.com/@jain.sm/code-injection-in-running-process-using-ptrace-d3ea7191a4be
- https://github.com/gaffe23/linux-inject/blob/master/slides_BHArsenal2015.pdf
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.008/T1055.008.md
Unlock Pro Content
Get the full detection package for T1055.008 including response playbook, investigation guide, and atomic red team tests.