Description
Adversaries may inject malicious code into processes via the /proc filesystem in order to evade process-based defenses as well as possibly elevate privileges. Proc memory injection is a method of executing arbitrary code in the address space of a separate live process.
Proc memory injection involves enumerating the memory of a process via the /proc filesystem (/proc/[pid]) then crafting a return-oriented programming (ROP) payload with available gadgets/instructions. Each running process has its own directory, which includes memory mappings. Proc memory injection is commonly performed by overwriting the target processes’ stack using memory mappings provided by the /proc filesystem. This information can be used to enumerate offsets (including the stack) and gadgets (or instructions within the program that can be used to build a malicious payload) otherwise hidden by process memory protections such as address space layout randomization (ASLR). Once enumerated, the target processes’ memory map within /proc/[pid]/maps can be overwritten using dd.(Citation: Uninformed Needle)(Citation: GDS Linux Injection)(Citation: DD Man)
Other techniques such as Dynamic Linker Hijacking may be used to populate a target process with more available gadgets. Similar to Process Hollowing, proc memory injection may target child processes (such as a backgrounded copy of sleep).(Citation: GDS Linux Injection)
Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via proc memory injection may also evade detection from security products since the execution is masked under a legitimate process.
Platforms
Mitigations (2)
Behavior Prevention on EndpointM1040
Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process.
Restrict File and Directory PermissionsM1022
Restrict the permissions on sensitive files such as /proc/[pid]/maps or /proc/[pid]/mem.
Related CWE Weaknesses
References
- Kerrisk, M. (2020, February 2). DD(1) User Commands. Retrieved February 21, 2020.
- McNamara, R. (2017, September 5). Linux Based Inter-Process Code Injection Without Ptrace(2). Retrieved February 21, 2020.
- skape. (2003, January 19). Linux x86 run-time process manipulation. Retrieved December 20, 2017.
Frequently Asked Questions
What is T1055.009 (Proc Memory)?
T1055.009 is a MITRE ATT&CK technique named 'Proc Memory'. It belongs to the Stealth, Privilege Escalation tactic(s). Adversaries may inject malicious code into processes via the /proc filesystem in order to evade process-based defenses as well as possibly elevate privileges. Proc memory injection is a method of exec...
How can T1055.009 be detected?
Detection of T1055.009 (Proc Memory) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1055.009?
There are 2 documented mitigations for T1055.009. Key mitigations include: Behavior Prevention on Endpoint, Restrict File and Directory Permissions.
Which threat groups use T1055.009?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.