Modification of Dynamic Linker Preload Shared Object Inside A Container

This rule detects the creation or modification of the dynamic linker preload shared object (ld.so.preload) inside a container. The Linux dynamic linker is used to load libraries needed by a program at runtime. Adversaries may hijack the dynamic linker by modifying the /etc/ld.so.preload file to point to malicious libraries. This behavior can be used to grant unauthorized access to system resources and has been used to evade detection of malicious processes in container environments.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2023/06/06"
 3integration = ["cloud_defend"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10This rule detects the creation or modification of the dynamic linker preload shared object (ld.so.preload) inside a
11container. The Linux dynamic linker is used to load libraries needed by a program at runtime. Adversaries may hijack the
12dynamic linker by modifying the /etc/ld.so.preload file to point to malicious libraries. This behavior can be used to
13grant unauthorized access to system resources and has been used to evade detection of malicious processes in container
14environments.
15"""
16from = "now-6m"
17index = ["logs-cloud_defend*"]
18interval = "5m"
19language = "eql"
20license = "Elastic License v2"
21name = "Modification of Dynamic Linker Preload Shared Object Inside A Container"
22references = [
23    "https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/",
24    "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang/",
25    "https://sysdig.com/blog/threat-detection-aws-cloud-containers/",
26]
27risk_score = 73
28rule_id = "342f834b-21a6-41bf-878c-87d116eba3ee"
29severity = "high"
30tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "Tactic: Defense Evasion"]
31timestamp_override = "event.ingested"
32type = "eql"
33
34query = '''
35file where event.module== "cloud_defend" and event.type != "deletion" and file.path== "/etc/ld.so.preload"
36'''
37
38
39[[rule.threat]]
40framework = "MITRE ATT&CK"
41[[rule.threat.technique]]
42id = "T1574"
43name = "Hijack Execution Flow"
44reference = "https://attack.mitre.org/techniques/T1574/"
45[[rule.threat.technique.subtechnique]]
46id = "T1574.006"
47name = "Dynamic Linker Hijacking"
48reference = "https://attack.mitre.org/techniques/T1574/006/"
49
50
51
52[rule.threat.tactic]
53id = "TA0005"
54name = "Defense Evasion"
55reference = "https://attack.mitre.org/tactics/TA0005/"

References

Related rules

to-top