test_scratch
/
cti-ATT-CK-v13.1
/mobile-attack
/attack-pattern
/attack-pattern--1ff89c1b-7615-4fe8-b9cb-63aaf52e6dee.json
{ | |
"type": "bundle", | |
"id": "bundle--a577afff-5bc8-48d9-a7b7-6960e78dc7cf", | |
"spec_version": "2.0", | |
"objects": [ | |
{ | |
"modified": "2023-03-20T18:57:40.571Z", | |
"name": "Ptrace System Calls", | |
"description": "Adversaries may inject malicious code into processes via ptrace (process trace) system calls in order to evade process-based defenses as well as possibly elevate privileges. Ptrace system call injection is a method of executing arbitrary code in the address space of a separate live process. \n\nPtrace system call injection involves attaching to and modifying a running process. The ptrace system call enables a debugging process to observe and control another process (and each individual thread), including changing memory and register values.(Citation: PTRACE man) Ptrace system call injection is commonly performed by writing arbitrary code into a running process (e.g., by using `malloc`) then invoking that memory with `PTRACE_SETREGS` to set the register containing the next instruction to execute. Ptrace system call injection can also be done with `PTRACE_POKETEXT`/`PTRACE_POKEDATA`, which copy data to a specific address in the target process's memory (e.g., the current address of the next instruction).(Citation: PTRACE man)(Citation: Medium Ptrace JUL 2018) \n\nPtrace system call injection may not be possible when targeting processes with high-privileges, and on some systems those that are non-child processes.(Citation: BH Linux Inject) \n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via ptrace system call injection may also evade detection from security products since the execution is masked under a legitimate process.", | |
"kill_chain_phases": [ | |
{ | |
"kill_chain_name": "mitre-mobile-attack", | |
"phase_name": "defense-evasion" | |
}, | |
{ | |
"kill_chain_name": "mitre-mobile-attack", | |
"phase_name": "privilege-escalation" | |
} | |
], | |
"x_mitre_deprecated": false, | |
"x_mitre_detection": "Application vetting services could look for misuse of dynamic libraries.", | |
"x_mitre_domains": [ | |
"mobile-attack" | |
], | |
"x_mitre_is_subtechnique": true, | |
"x_mitre_platforms": [ | |
"Android", | |
"iOS" | |
], | |
"x_mitre_version": "1.1", | |
"x_mitre_tactic_type": [ | |
"Post-Adversary Device Access" | |
], | |
"type": "attack-pattern", | |
"id": "attack-pattern--1ff89c1b-7615-4fe8-b9cb-63aaf52e6dee", | |
"created": "2022-03-30T19:05:17.048Z", | |
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", | |
"revoked": false, | |
"external_references": [ | |
{ | |
"source_name": "mitre-attack", | |
"url": "https://attack.mitre.org/techniques/T1631/001", | |
"external_id": "T1631.001" | |
}, | |
{ | |
"source_name": "BH Linux Inject", | |
"description": "Colgan, T. (2015, August 15). Linux-Inject. Retrieved February 21, 2020.", | |
"url": "https://github.com/gaffe23/linux-inject/blob/master/slides_BHArsenal2015.pdf" | |
}, | |
{ | |
"source_name": "Medium Ptrace JUL 2018", | |
"description": "Jain, S. (2018, July 25). Code injection in running process using ptrace. Retrieved February 21, 2020.", | |
"url": "https://medium.com/@jain.sm/code-injection-in-running-process-using-ptrace-d3ea7191a4be" | |
}, | |
{ | |
"source_name": "PTRACE man", | |
"description": "Kerrisk, M. (2020, February 9). PTRACE(2) - Linux Programmer's Manual. Retrieved February 21, 2020.", | |
"url": "http://man7.org/linux/man-pages/man2/ptrace.2.html" | |
} | |
], | |
"object_marking_refs": [ | |
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" | |
], | |
"x_mitre_attack_spec_version": "3.1.0", | |
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" | |
} | |
] | |
} |