title: Ptrace System Calls (T1055.008)
id: df00tech-t1055-008
status: experimental
description: "Adversaries may inject malicious code into processes via ptrace (process trace) system calls in order to evade process-based defenses as well as possibly elevate privileges. Ptrace system call injection involves attaching to and modifying a running process. The ptrace system call enables a debugging process to observe and control another process (and each individual thread), including changing memory and register values. Ptrace system call injection is commonly performed by writing arbitrary code into a running process (ex: malloc) then invoking that memory with PTRACE_SETREGS to set the register containing the next instruction to execute. Ptrace system call injection can also be done with PTRACE_POKETEXT/PTRACE_POKEDATA, which copy data to a specific address in the target processes' memory."
references:
  - https://attack.mitre.org/techniques/T1055/008/
  - https://df00tech.com/detections/T1055.008
author: df00tech
date: 2026/04/16
tags:
  - attack.t1055.008
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Software developers using gdb, strace, or ltrace for legitimate debugging"
  - "Container runtime tools (Docker, containerd) using ptrace for process namespace management"
  - System administration tools performing ptrace for diagnostic purposes
  - Security scanners and vulnerability assessment tools that ptrace processes for analysis
level: high