T1631.001: Ptrace System Calls
Adversaries may inject malicious code into processes via ptrace (process trace) system calls in order to evade process-based defenses as well as possibly elevate privileges. Ptrace system call injection is a method of executing arbitrary code in the address space of a separate live process.
Ptrace system call injection involves attaching to and modifying a running process. The ptrace system call enables a debugging process to observe and control another process (and each individual thread), including changing memory and register values.[1] Ptrace system call injection is commonly performed by writing arbitrary code into a running process (e.g., by using `malloc`) then invoking that memory with `PTRACE_SETREGS` to set the register containing the next instruction to execute. Ptrace system call injection can also be done with `PTRACE_POKETEXT`/`PTRACE_POKEDATA`, which copy data to a specific address in the target process's memory (e.g., the current address of the next instruction).[1][2]
Ptrace system call injection may not be possible when targeting processes with high-privileges, and on some systems those that are non-child processes.[3]
Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via ptrace system call injection may also evade detection from security products since the execution is masked under a legitimate process.
Analyst context for executives and security teams
Ptrace System Calls is a mobile process-injection sub-technique for Android and iOS where malicious code may be run inside another live process. The business significance is that activity can appear to come from a legitimate process, which can weaken process-based monitoring, complicate incident scoping, and potentially expose the target process’s memory, network access, or privileges.
Executive priority
Treat this as a control-validation issue for mobile security and incident readiness rather than a standalone vulnerability. Leaders should ask whether high-risk mobile fleets, managed devices, and mobile applications have evidence capable of showing suspicious process tracing or code injection behavior, especially where mobile devices support privileged access, sensitive data, or regulated workflows. Because ATT&CK provides no official detection text for this object, coverage should be proven through local telemetry and testing, not assumed from tool presence.
Technical view
For SOC, detection engineering, and IR teams, validate visibility for ptrace-related process manipulation on Android and iOS where feasible. The technique is a sub-technique of mobile Process Injection and is associated with software entries Triada on Android, INSOMNIA on iOS, and Zen on Android. ATT&CK also relates DET0622, Detection of Ptrace System Calls, to this object, but the supplied object does not include detection logic. Focus investigation on abnormal debugger-like attachment to running processes, memory/register modification behavior, and execution that appears under another legitimate process context. Account for legitimate debugging, development, EDR, testing, and device-management activity as likely false-positive sources.
Likely telemetry
- Mobile endpoint or EDR events showing ptrace system call usage or debugger attachment behavior
- Process lineage and parent/child process context on Android and iOS devices where available
- Signals of memory or register manipulation in a running process, including ptrace operations such as PTRACE_SETREGS, PTRACE_POKETEXT, or PTRACE_POKEDATA when observable
- Application/process identity, signing, integrity, privilege, and sandbox context
- Device state relevant to feasibility, such as rooted or jailbroken status and elevated privileges
Detection direction
- Map available mobile telemetry against DET0622 and confirm whether ptrace-related events are actually collected, retained, and searchable.
- Tune for ptrace use against non-development, production, or sensitive applications, especially when initiated by unexpected processes or on devices not enrolled for testing.
- Correlate suspected ptrace activity with process identity, privilege level, device integrity state, and subsequent network or data-access behavior from the target process.
- Separate legitimate debugging and QA workflows from production monitoring through allowlists, device groups, developer certificate context, or approved tooling records.
- Do not rely only on process name or apparent legitimate process execution; this technique’s value is that execution may be masked inside another process.
Mitigation priorities
- Prioritize prevention and monitoring for rooted or jailbroken devices where ptrace-based process manipulation may be more feasible.
- Restrict production access from devices that fail integrity, enrollment, or compliance checks when those devices handle sensitive business applications.
- Harden mobile application and device-management baselines to reduce unauthorized debugging, tampering, and elevated execution paths where supported.
- Use mobile threat detection, EDR, or MDM telemetry to establish auditable evidence of device integrity, suspicious debugging behavior, and incident response triage data.
- Maintain clear exceptions for legitimate development and testing devices so detection teams can alert on unexpected ptrace-like activity in business-use environments.
Analyst notes and limits
This ATT&CK object is a mobile sub-technique, T1631.001, under Process Injection and applies to Android and iOS. ATT&CK lists no tactics and provides no official detection text in the supplied fields. The relationship context indicates DET0622 detects this object and that Triada, INSOMNIA, and Zen use it, but those relationships should be used for detection context and threat modeling rather than claims of current activity in any environment.
The supplied fields do not provide detailed detection analytics, mitigations, procedure examples, or telemetry requirements. Practical coverage depends heavily on mobile OS version, device privilege state, EDR/MDM capability, application architecture, and whether production devices permit collection of system-call or process-manipulation evidence.
Ptrace System Calls
Adversaries may inject malicious code into processes via ptrace (process trace) system calls in order to evade process-based defenses as well as possibly elevate privileges. Ptrace system call injection is a method of executing arbitrary code in the address space of a separate live process.
Ptrace system call injection involves attaching to and modifying a running process. The ptrace system call enables a debugging process to observe and control another process (and each individual thread), including changing memory and register values.[1] Ptrace system call injection is commonly performed by writing arbitrary code into a running process (e.g., by using `malloc`) then invoking that memory with `PTRACE_SETREGS` to set the register containing the next instruction to execute. Ptrace system call injection can also be done with `PTRACE_POKETEXT`/`PTRACE_POKEDATA`, which copy data to a specific address in the target process's memory (e.g., the current address of the next instruction).[1][2]
Ptrace system call injection may not be possible when targeting processes with high-privileges, and on some systems those that are non-child processes.[3]
Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via ptrace system call injection may also evade detection from security products since the execution is masked under a legitimate process.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1540 | Code Injection | Code Injection revoked by this object. |
| Mobile | T1631 | Process Injection | This object subtechnique of Process Injection. |
Groups, software, and campaigns
S0463: INSOMNIA
S0494: Zen
S0424: Triada
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 767f507fc8d9… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
PTRACE man
Kerrisk, M. (2020, February 9). PTRACE(2) - Linux Programmer's Manual. Retrieved February 21, 2020.
Open source URL -
[2]
Medium Ptrace JUL 2018
Jain, S. (2018, July 25). Code injection in running process using ptrace. Retrieved February 21, 2020.
Open source URL -
[3]
BH Linux Inject
Colgan, T. (2015, August 15). Linux-Inject. Retrieved February 21, 2020.
Open source URL -
[4]
mitre-attack T1631.001Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.