T1055.008 Sumo Logic CSE · Sumo

Detect Ptrace System Calls in Sumo Logic CSE

Adversaries may inject malicious code into processes via ptrace (process trace) system calls in order to evade process-based defenses as well as possibly elevate privileges. Ptrace system call injection involves attaching to and modifying a running process. The ptrace system call enables a debugging process to observe and control another process (and each individual thread), including changing memory and register values. Ptrace system call injection is commonly performed by writing arbitrary code into a running process (ex: malloc) then invoking that memory with PTRACE_SETREGS to set the register containing the next instruction to execute. Ptrace system call injection can also be done with PTRACE_POKETEXT/PTRACE_POKEDATA, which copy data to a specific address in the target processes' memory.

MITRE ATT&CK

Tactic
Defense Evasion Privilege Escalation
Technique
T1055 Process Injection
Sub-technique
T1055.008 Ptrace System Calls
Canonical reference
https://attack.mitre.org/techniques/T1055/008/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
(_sourceCategory=linux/audit OR _sourceCategory=linux/auditd OR _sourceCategory=os/linux*)
| where _raw matches /type=SYSCALL/
| where _raw matches /syscall=101/ OR _raw matches /syscall=ptrace/
| parse "exe=\"*\"" as exe_path nodrop
| parse "pid=* " as caller_pid nodrop
| parse "a0=* " as ptrace_a0 nodrop
| parse "a1=* " as target_pid nodrop
| parse "auid=* " as audit_uid nodrop
| parse "uid=* " as uid nodrop
| where !(exe_path matches /\/(gdb|strace|ltrace|valgrind|perf|dockerd|containerd|runc|lldb|py-spy)$/)
| where ptrace_a0 in ("4", "5", "d", "10", "13", "16", "19", "25")
| eval ptrace_operation = if(ptrace_a0 == "4", "PTRACE_POKETEXT",
    if(ptrace_a0 == "5", "PTRACE_POKEDATA",
    if(ptrace_a0 matches /^(d|13)$/, "PTRACE_SETREGS",
    if(ptrace_a0 matches /^(10|16)$/, "PTRACE_ATTACH",
    if(ptrace_a0 matches /^(19|25)$/, "PTRACE_SEIZE", "PTRACE_OTHER")))))
| eval injection_risk = if(ptrace_operation in ("PTRACE_POKETEXT", "PTRACE_POKEDATA", "PTRACE_SETREGS", "PTRACE_ATTACH", "PTRACE_SEIZE"), "HIGH", "LOW")
| count by _sourceHost, exe_path, caller_pid, target_pid, audit_uid, uid, ptrace_operation, injection_risk
| sort by _count desc
high severity high confidence

Detects ptrace syscall events with write or attach capability from Linux auditd logs ingested into Sumo Logic. Parses the SYSCALL audit record fields to extract the calling executable, ptrace request type (a0 argument in hex), and target PID. Classifies injection risk based on operation type and excludes known legitimate debuggers. Uses a broad _sourceCategory match to accommodate varied collector configurations.

Data Sources

Sumo Logic Installed Collector with Local File Source tailing /var/log/audit/audit.logSumo Logic Cloud Syslog receiving auditd events via audisp-remoteSumo Logic Linux app with auditd source category configured

Required Tables

_sourceCategory=linux/audit_sourceCategory=linux/auditd_sourceCategory=os/linux*

False Positives & Tuning

  • Custom internal debugging or tracing tools installed under unexpected binary names that bypass name-based exclusions
  • Java applications using the Attach API for dynamic instrumentation (e.g., Datadog, New Relic, Dynatrace agents attaching to JVM) which trigger PTRACE_ATTACH
  • Sanitizer-instrumented binaries (AddressSanitizer, ThreadSanitizer) running under test infrastructure that internally invoke ptrace for signal handling
Download portable Sigma rule (.yml)

Other platforms for T1055.008

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Ptrace Attachment via strace

    Expected signal: auditd: SYSCALL type with syscall=101, a0=16 (PTRACE_ATTACH), a1=<target_pid>, exe=/usr/bin/strace. /proc/<target_pid>/status will show TracerPid=<strace_pid> while attached.

  2. Test 2Ptrace Memory Read via /proc/pid/mem

    Expected signal: auditd: open() syscall on /proc/<pid>/maps. If ptrace is used: SYSCALL with syscall=101. The /proc/pid/maps read itself may be logged by auditd file access rules.

  3. Test 3Check ptrace_scope Kernel Setting

    Expected signal: No security telemetry — this is a configuration check. The output shows the current ptrace restriction level.

Last updated: 2026-04-16 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1055.008 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1055Process Injection

Related Sub-techniques

T1055.001Dynamic-link Library InjectionT1055.002Portable Executable InjectionT1055.003Thread Execution HijackingT1055.004Asynchronous Procedure CallT1055.005Thread Local StorageT1055.009Proc MemoryT1055.011Extra Window Memory InjectionT1055.012Process HollowingT1055.013Process DoppelgangingT1055.014VDSO HijackingT1055.015ListPlanting

Related Techniques

T1055Process InjectionT1055.009Proc MemoryT1055.014VDSO HijackingT1003.007Proc FilesystemT1014Rootkit

Same Tactic: Defense Evasion

Popular Detections