sigmahighHunting

Code Injection by ld.so Preload

Detects the ld.so preload persistence file. See `man ld.so` for more information.

MITRE ATT&CK

defense-evasionpersistenceprivilege-escalation

Detection Query

keywords:
  - /etc/ld.so.preload
condition: keywords

Author

Christian Burkard (Nextron Systems)

Created

2021-05-05

Data Sources

linux

Platforms

linux

References

https://man7.org/linux/man-pages/man8/ld.so.8.html

Tags

attack.defense-evasionattack.persistenceattack.privilege-escalationattack.t1574.006

Raw Content

title: Code Injection by ld.so Preload
id: 7e3c4651-c347-40c4-b1d4-d48590fdf684
status: test
description: Detects the ld.so preload persistence file. See `man ld.so` for more information.
references:
    - https://man7.org/linux/man-pages/man8/ld.so.8.html
author: Christian Burkard (Nextron Systems)
date: 2021-05-05
modified: 2022-10-09
tags:
    - attack.defense-evasion
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1574.006
logsource:
    product: linux
detection:
    keywords:
        - '/etc/ld.so.preload'
    condition: keywords
falsepositives:
    - Rare temporary workaround for library misconfiguration
level: high