EXPLORE
Sign In
← Back to Explore
T1574.006

Dynamic Linker Hijacking

Adversaries may execute their own malicious payloads by hijacking environment variables the dynamic linker uses to load shared libraries. During the execution preparation phase of a program, the dynamic linker loads specified absolute paths of shared libraries from various environment variables and files, such as <code>LD_PRELOAD</code> on Linux or <code>DYLD_INSERT_LIBRARIES</code> on macOS.(Citation: TheEvilBit DYLD_INSERT_LIBRARIES)(Citation: Timac DYLD_INSERT_LIBRARIES)(Citation: Gabilondo D...

LinuxmacOS
24
Detections
3
Sources
3
Threat Actors

BY SOURCE

17elastic5splunk_escu2sigma

PROCEDURES (16)

Inject4 detections

Auto-extracted: 4 detections for inject

Container2 detections

Auto-extracted: 2 detections for container

Credential2 detections

Auto-extracted: 2 detections for credential

Privilege2 detections

Auto-extracted: 2 detections for privilege

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

General Monitoring2 detections

Auto-extracted: 2 detections for general monitoring

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Bypass1 detections

Auto-extracted: 1 detections for bypass

Service1 detections

Auto-extracted: 1 detections for service

Persist1 detections

Auto-extracted: 1 detections for persist

Unusual1 detections

Auto-extracted: 1 detections for unusual

Process Creation Monitoring1 detections

Auto-extracted: 1 detections for process creation monitoring

Persist1 detections

Auto-extracted: 1 detections for persist

Unusual1 detections

Auto-extracted: 1 detections for unusual

Bypass1 detections

Auto-extracted: 1 detections for bypass

Service1 detections

Auto-extracted: 1 detections for service

THREAT ACTORS (3)

APT41Aquatic PandaRocke

DETECTIONS (24)

Code Injection by ld.so Preload
sigmahigh
Dylib Injection via Process Environment Variables
elastichigh
Dynamic Linker (ld.so) Creation
elasticmedium
Dynamic Linker Copy
elastichigh
Dynamic Linker Creation
elasticmedium
Dynamic Linker Modification Detected via Defend for Containers
elastichigh
GitHub Workflow File Creation or Modification
splunk_escu
Linux Auditd Preload Hijack Library Calls
splunk_escu
Linux Auditd Preload Hijack Via Preload File
splunk_escu
Linux Preload Hijack Library Calls
splunk_escu
Modification of Dynamic Linker Preload Shared Object
elasticmedium
Modification of Environment Variable via Unsigned or Untrusted Parent
elasticmedium
Modification of ld.so.preload
sigmahigh
Pod or Container Creation with Suspicious Command-Line
elasticmedium
Potential CVE-2025-32463 Nsswitch File Creation
elastichigh
Potential Persistence via File Modification
elasticlow
Potential Privilege Escalation via PKEXEC
elastichigh
Potential Suspicious File Edit
elasticlow
Shai-Hulud Workflow File Creation or Modification
splunk_escu
Shared Object Created by Previously Unknown Process
elasticmedium
Suspicious Dynamic Linker Discovery via od
elastichigh
Suspicious Echo or Printf Execution Detected via Defend for Containers
elastichigh
Unusual LD_PRELOAD/LD_LIBRARY_PATH Command Line Arguments
elastichigh
Unusual Preload Environment Variable Process Execution
elasticlow