T1055.008: Ptrace System Calls

Ptrace System Calls is a Linux process-injection technique where an adversary abuses the legitimate ptrace debugging interface to alter a running process and execute code inside it. The business issue is not the API itself, but the defensive blind spot it can create: malicious activity may appear to come from a trusted or already-running process, complicating SOC triage, incident scoping, and evidence collection.

Executive priority

Prioritize this where Linux systems support critical services, privileged workloads, or sensitive data access. Leaders should ask whether privileged account controls, endpoint behavior prevention, and Linux telemetry can show when one process attaches to or modifies another. This matters for resilience and audit readiness because investigation quality depends on proving whether suspicious activity originated from a legitimate process or from injected execution hidden inside it.

Technical view

This is a Linux sub-technique of Process Injection aligned to stealth and privilege-escalation tactics. Validate visibility into ptrace-related process activity, especially attempts to attach to non-child processes, manipulate process memory, or alter register state. Because official ATT&CK detection text is not provided, use the related detection strategy DET0203 as direction to build and test Linux-focused detections for ptrace-based injection. The relationship to PACEMAKER shows this behavior is represented in ATT&CK software context, but local evidence is required before making any environment-specific exposure or incident claims.

Likely telemetry

Linux system call telemetry involving ptrace activity
Process lineage and parent-child relationships
Endpoint behavior events showing process-to-process access or memory modification
Privilege and account context for the tracing process and target process
Security product logs for behavior prevention or endpoint blocking decisions

Detection direction

Baseline legitimate ptrace use from debugging, observability, and administrative workflows to reduce false positives.
Alert on unusual process attachment patterns, especially where a process targets unrelated, sensitive, or higher-value processes.
Correlate ptrace events with privilege context, process ancestry, binary path, user identity, and subsequent network or file activity.
Validate that Linux endpoint tooling can observe process injection behaviors rather than only process creation events.
Use DET0203 as the ATT&CK-linked detection strategy reference for ptrace-based process injection validation.

Mitigation priorities

Apply privileged account management: restrict root or administrative access, enforce least privilege, and monitor privileged account use.
Use endpoint behavior prevention capabilities that can detect or block suspicious process behavior, API/system-call patterns, or process memory manipulation.
Limit who can perform debugging or tracing activity on production Linux systems where operationally feasible.
Ensure logging and auditing support accountability for privileged actions tied to ptrace-like behavior.
Prioritize control validation on Linux systems hosting critical services, sensitive data, or high-trust processes.

Analyst notes and limits

ATT&CK provides no official detection text for this object, so detection engineering should be validated through local Linux telemetry and the related DET0203 detection strategy. The supplied mitigation relationships are M1026 Privileged Account Management and M1040 Behavior Prevention on Endpoint. Ptrace may be legitimate for debugging and administration, so context is essential.

This take is based only on the supplied ATT&CK fields, external references, and relationships. It does not establish active exploitation, customer exposure, or guaranteed detection. Platform scope is Linux as supplied. The PACEMAKER relationship indicates ATT&CK software usage of the technique, but does not by itself prove current activity in any environment.

Official MITRE ATT&CK definition

Ptrace System Calls

Adversaries may inject malicious code into processes via ptrace (process trace) system calls in order to evade process-based defenses as well as possibly elevate privileges. Ptrace system call injection is a method of executing arbitrary code in the address space of a separate live process.

Ptrace system call injection involves attaching to and modifying a running process. The ptrace system call enables a debugging process to observe and control another process (and each individual thread), including changing memory and register values.[1] Ptrace system call injection is commonly performed by writing arbitrary code into a running process (ex: malloc) then invoking that memory with PTRACE_SETREGS to set the register containing the next instruction to execute. Ptrace system call injection can also be done with PTRACE_POKETEXT/PTRACE_POKEDATA, which copy data to a specific address in the target processes’ memory (ex: the current address of the next instruction). [1][2]

Ptrace system call injection may not be possible targeting processes that are non-child processes and/or have higher-privileges.[3]

Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via ptrace system call injection may also evade detection from security products since the execution is masked under a legitimate process.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 1 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1055	Process Injection	This object subtechnique of Process Injection.

Associated objects

Groups, software, and campaigns

S1109: PACEMAKER

PACEMAKER is a credential stealer that was used by APT5 as early as 2020 including activity against US Defense Industrial Base (DIB) companies.[1]

Network DevicesLinux

Relationship explorer

All related ATT&CK context

uses · Malware S1109: PACEMAKER Enterprise mitigates · Mitigation M1040: Behavior Prevention on Endpoint Enterprise subtechnique of · Technique T1055: Process Injection Enterprise mitigates · Mitigation M1026: Privileged Account Management Enterprise detects · Detection Strategy DET0203: Detection Strategy for Ptrace-Based Process Injection on Linux Enterprise

Mitigations

Mitigation direction

M1040: Behavior Prevention on Endpoint

Behavior Prevention on Endpoint refers to the use of technologies and strategies to detect and block potentially malicious activities by analyzing the behavior of processes, files, API calls, and other endpoint events. Rather than relying solely on known signatures, this approach leverages heuristics, machine learning, and real-time monitoring to identify anomalous patterns indicative of an attack. This mitigation can be implemented through the following measures:

Suspicious Process Behavior:

- Implementation: Use Endpoint Detection and Response (EDR) tools to monitor and block processes exhibiting unusual behavior, such as privilege escalation attempts. - Use Case: An attacker uses a known vulnerability to spawn a privileged process from a user-level application. The endpoint tool detects the abnormal parent-child process relationship and blocks the action.

Unauthorized File Access:

- Implementation: Leverage Data Loss Prevention (DLP) or endpoint tools to block processes attempting to access sensitive files without proper authorization. - Use Case: A process tries to read or modify a sensitive file located in a restricted directory, such as /etc/shadow on Linux or the SAM registry hive on Windows. The endpoint tool identifies this anomalous behavior and prevents it.

Abnormal API Calls:

- Implementation: Implement runtime analysis tools to monitor API calls and block those associated with malicious activities. - Use Case: A process dynamically injects itself into another process to hijack its execution. The endpoint detects the abnormal use of APIs like `OpenProcess` and `WriteProcessMemory` and terminates the offending process.

Exploit Prevention:

- Implementation: Use behavioral exploit prevention tools to detect and block exploits attempting to gain unauthorized access. - Use Case: A buffer overflow exploit is launched against a vulnerable application. The endpoint detects the anomalous memory write operation and halts the process.

M1026: Privileged Account Management

Privileged Account Management focuses on implementing policies, controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root, or administrative accounts). This includes restricting access, limiting the scope of permissions, monitoring privileged account usage, and ensuring accountability through logging and auditing.This mitigation can be implemented through the following measures:

Account Permissions and Roles:

- Implement RBAC and least privilege principles to allocate permissions securely. - Use tools like Active Directory Group Policies to enforce access restrictions.

Credential Security:

- Deploy password vaulting tools like CyberArk, HashiCorp Vault, or KeePass for secure storage and rotation of credentials. - Enforce password policies for complexity, uniqueness, and expiration using tools like Microsoft Group Policy Objects (GPO).

Multi-Factor Authentication (MFA):

- Enforce MFA for all privileged accounts using Duo Security, Okta, or Microsoft Azure AD MFA.

Privileged Access Management (PAM):

- Use PAM solutions like CyberArk, BeyondTrust, or Thycotic to manage, monitor, and audit privileged access.

Auditing and Monitoring:

- Integrate activity monitoring into your SIEM (e.g., Splunk or QRadar) to detect and alert on anomalous privileged account usage.

Just-In-Time Access:

- Deploy JIT solutions like Azure Privileged Identity Management (PIM) or configure ephemeral roles in AWS and GCP to grant time-limited elevated permissions.

*Tools for Implementation*

Privileged Access Management (PAM):

- CyberArk, BeyondTrust, Thycotic, HashiCorp Vault.

Credential Management:

- Microsoft LAPS (Local Admin Password Solution), Password Safe, HashiCorp Vault, KeePass.

Multi-Factor Authentication:

- Duo Security, Okta, Microsoft Azure MFA, Google Authenticator.

Linux Privilege Management:

- sudo configuration, SELinux, AppArmor.

Just-In-Time Access:

- Azure Privileged Identity Management (PIM), AWS IAM Roles with session constraints, GCP Identity-Aware Proxy.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 2.0
Created: Jan 14, 2020, 01:33 UTC (UTC+00:00)
Modified: May 12, 2026, 15:12 UTC (UTC+00:00)
Raw hash: f5fdf95ebd907724...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	2.0	May 12, 2026, 15:12 UTC (UTC+00:00)	Current bundle	`f5fdf95ebd90…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
PTRACE man

Kerrisk, M. (2020, February 9). PTRACE(2) - Linux Programmer's Manual. Retrieved February 21, 2020.
Open source URL
[2]
Medium Ptrace JUL 2018

Jain, S. (2018, July 25). Code injection in running process using ptrace. Retrieved February 21, 2020.
Open source URL
[3]
BH Linux Inject

Colgan, T. (2015, August 15). Linux-Inject. Retrieved February 21, 2020.
Open source URL
[4]
mitre-attack T1055.008
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams