Adversaries may use the DD utility to inject code into Linux processes by overwriting their memory maps, enabling persistence or privilege escalation. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential code injection attacks that evade traditional detection methods.
Detection Rule
title: Potential Linux Process Code Injection Via DD Utility
id: 4cad6c64-d6df-42d6-8dae-eb78defdc415
status: test
description: Detects the injection of code by overwriting the memory map of a Linux process using the "dd" Linux command.
references:
- https://www.aon.com/cyber-solutions/aon_cyber_labs/linux-based-inter-process-code-injection-without-ptrace2/
- https://github.com/AonCyberLabs/Cexigua/blob/34d338620afae4c6335ba8d8d499e1d7d3d5d7b5/overwrite.sh
author: Joseph Kamau
date: 2023-12-01
tags:
- attack.privilege-escalation
- attack.defense-evasion
- attack.t1055.009
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/dd'
CommandLine|contains|all:
- 'of='
- '/proc/'
- '/mem'
condition: selection
falsepositives:
- Unknown
level: medium
imProcessCreate
| where TargetProcessName endswith "/dd" and (TargetProcessCommandLine contains "of=" and TargetProcessCommandLine contains "/proc/" and TargetProcessCommandLine contains "/mem")Scenario: System Update Using dd to Copy Disk Images
Description: A system administrator uses dd to copy a disk image during a routine system update or OS installation.
Filter/Exclusion: Check for the presence of known disk image files (e.g., update_disk.img, os_install.img) or the use of dd in conjunction with mount or rsync for image transfer.
Scenario: Backup and Restore Operations Using dd
Description: A backup process uses dd to create a disk-level backup of a server or virtual machine.
Filter/Exclusion: Filter for dd commands that include paths to known backup directories (e.g., /backup/, /var/backups/) or use of dd with if=/dev/sdX and of=/backup/sdX.img.
Scenario: Scheduled Job to Clone a Disk for Testing
Description: A scheduled job runs dd to clone a disk for testing or development purposes.
Filter/Exclusion: Exclude dd commands that are executed by a known test user or scheduled via cron with a specific test-related job name (e.g., test_disk_clone).
Scenario: Admin Task to Copy Data Between Partitions
Description: An admin uses dd to copy data between partitions for migration or data transfer.
Filter/Exclusion: Filter for dd commands that include if=/dev/sdX and of=/dev/sdY where both devices are part of the same system or are known data transfer targets.
Scenario: Use of dd in a Script for Disk Imaging
Description: A script used by DevOps or sysadmins automates the creation of disk images for deployment or forensic analysis.