What even is a pidfd anyway?
ATT&CK techniques detected
T1057Process Discovery
98%
“open : given a pidfd, it returns the pid number associated with the underlying process. this function requires that / proc be mounted, and returns the pid number in the pid namespace associated with the mounted / proc. note that the pid number can be reused for a different proces…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1055.001Dynamic-link Library Injection
91%
“if the referenced process used an scm _ rights message to send a file descriptor to the calling process. the o _ cloexec flag is automatically set on the new fd. calling this function incurs a ptrace _ mode _ attach _ realcreds security check. available since : kernel 5. 8, glibc…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1055.001Dynamic-link Library Injection
80%
“transitions from alive to zombie, if that process ' s parent ' s sigchld handler is sig _ ign or has sa _ nocldwait, then the kernel does an automatic wait call on behalf of the parent and discards the result, thereby transitioning the child onward from zombie to dead. this cause…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1057Process Discovery
69%
“pidfd to obtain the exit code and status of dead processes, not just zombie processes ( c. f. getexitcodeprocess in windows ). - the ability to mark a process as transitioning directly from alive to dead, without sitting in the zombie state until someone waits upon it. this would…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…