AN1400: Analytic 1400
Detects ptrace- or memfd-based process injection through audit logs capturing system calls (e.g., ptrace, mmap) targeting running processes along with suspicious file descriptors or memory writes.
Analyst context for executives and security teams
This analytic is relevant because it focuses on Linux process injection behavior that may occur without dropping a conventional executable to disk. For leaders, the decision point is whether Linux audit logging and SOC workflows can expose memory-focused tampering against running processes, not just file-based malware activity.
Executive priority
Prioritize this where Linux systems support critical services, privileged workloads, or regulated operations. The business value is in validating that incident responders can see suspicious process-manipulation activity early enough to support containment decisions, compliance evidence, and operational resilience. Because the ATT&CK object provides no tactic mapping or relationship context, treat it as a detection engineering validation item rather than a complete risk assessment by itself.
Technical view
For SOC and detection engineering teams, validate Linux audit coverage for system calls associated with process injection indicators referenced by the analytic, including ptrace and mmap, and correlate them with targeting of running processes, suspicious file descriptors, or memory writes. IR teams should confirm that audit events contain enough process, user, command, parent process, target process, and file descriptor context to support triage. Since no official detection logic is supplied, local baselining and tuning are required.
Likely telemetry
- Linux audit logs capturing relevant system calls
- System call records for ptrace and mmap activity
- Process metadata for source and target processes
- User and privilege context associated with process access
- File descriptor and memory write indicators where available
Detection direction
- Validate that Linux audit policy actually records the system calls and process context needed for this analytic.
- Tune for unusual process access or memory-write patterns rather than alerting on every ptrace or mmap event, because legitimate debugging, observability, and security tools may generate similar telemetry.
- Prioritize events involving privileged users, sensitive processes, unexpected parent processes, or suspicious file descriptor activity.
- Confirm whether audit logs are centrally collected, retained, and searchable quickly enough for incident response.
- Document blind spots on Linux hosts where audit logging is disabled, incomplete, or too noisy to operationalize.
Mitigation priorities
- Establish or review Linux audit logging for relevant system calls on systems where performance and operational requirements allow it.
- Restrict unnecessary privileges and administrative access that could enable process manipulation.
- Baseline legitimate debugging, monitoring, and security tooling so detections can distinguish expected from unusual behavior.
- Ensure SOC playbooks define how to triage suspected process injection on Linux, including containment and evidence preservation steps.
- Use findings from tuning and coverage gaps to inform hardening, access management, and incident response readiness priorities.
Analyst notes and limits
This is a detection analytic object for Linux. It describes audit-log-based detection of ptrace- or memfd-based process injection involving system calls such as ptrace and mmap, running process targets, suspicious file descriptors, or memory writes. No relationships, tactic mapping, or formal detection query were supplied, so the main value is guiding telemetry validation and detection engineering readiness.
The supplied ATT&CK fields do not include official detection logic, related techniques, mitigations, data components, adversary use, or attribution. Effectiveness depends on local Linux audit configuration, log quality, system performance constraints, and environment-specific baselines.
Analytic 1400
Detects ptrace- or memfd-based process injection through audit logs capturing system calls (e.g., ptrace, mmap) targeting running processes along with suspicious file descriptors or memory writes.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 39116d952f01… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1400Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.