strace
System call tracer. Can monitor running processes, extract secrets from memory, and trace file/network operations for reconnaissance.
Binary Paths
/usr/bin/strace/bin/strace
Glob Patterns
| Pattern | Notes |
|---|---|
st*e
|
Star matches 'rac' — may match other st*e binaries |
str?ce
|
Single wildcard replaces 'a' |
s*ce
|
Star matches 'tra' — broader pattern |
strac[e]
|
Character class on final char |
/usr/bin/str?ce
|
Full path with single wildcard |
/???/bin/str?ce
|
Obfuscate /usr/ and 'a' in strace |
$(ls /usr/bin/str?ce)
|
ls resolves glob to /usr/bin/strace; command substitution executes it |
$'\x73\x74\x72\x61\x63\x65'
|
ANSI-C hex escapes expand to 'strace' |
Pattern Tester
$
Try typing strace or a full path like /usr/bin/strace
YARA Rule
Auto-generated detection rule for strace
Platform Notes
strace can extract credentials by tracing process syscalls: strace -p <pid> -e read 2>&1 | grep -i pass. If strace has sudo permissions, it enables shell escapes: sudo strace -o /dev/null /bin/bash. GTFOBins documents strace as a sudo escape vector.