Modification of Dynamic Linker Preload Shared Object Inside A Container
This rule detects the creation or modification of the dynamic linker preload shared object (ld.so.preload) inside a container. The Linux dynamic linker is used to load libraries needed by a program at runtime. Adversaries may hijack the dynamic linker by modifying the /etc/ld.so.preload file to point to malicious libraries. This behavior can be used to grant unauthorized access to system resources and has been used to evade detection of malicious processes in container environments.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/06/06"
3integration = ["cloud_defend"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10This rule detects the creation or modification of the dynamic linker preload shared object (ld.so.preload) inside a
11container. The Linux dynamic linker is used to load libraries needed by a program at runtime. Adversaries may hijack the
12dynamic linker by modifying the /etc/ld.so.preload file to point to malicious libraries. This behavior can be used to
13grant unauthorized access to system resources and has been used to evade detection of malicious processes in container
14environments.
15"""
16from = "now-6m"
17index = ["logs-cloud_defend*"]
18interval = "5m"
19language = "eql"
20license = "Elastic License v2"
21name = "Modification of Dynamic Linker Preload Shared Object Inside A Container"
22references = [
23 "https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/",
24 "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang/",
25 "https://sysdig.com/blog/threat-detection-aws-cloud-containers/",
26]
27risk_score = 73
28rule_id = "342f834b-21a6-41bf-878c-87d116eba3ee"
29severity = "high"
30tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "Tactic: Defense Evasion"]
31timestamp_override = "event.ingested"
32type = "eql"
33
34query = '''
35file where event.module== "cloud_defend" and event.type != "deletion" and file.path== "/etc/ld.so.preload"
36'''
37
38
39[[rule.threat]]
40framework = "MITRE ATT&CK"
41[[rule.threat.technique]]
42id = "T1574"
43name = "Hijack Execution Flow"
44reference = "https://attack.mitre.org/techniques/T1574/"
45[[rule.threat.technique.subtechnique]]
46id = "T1574.006"
47name = "Dynamic Linker Hijacking"
48reference = "https://attack.mitre.org/techniques/T1574/006/"
49
50
51
52[rule.threat.tactic]
53id = "TA0005"
54name = "Defense Evasion"
55reference = "https://attack.mitre.org/tactics/TA0005/"
References
-
Hildegard is a new malware campaign believed to originate from TeamTNT. It targets Kubernetes clusters and launches cryptojacking operations.
Read More -
The “Rocke group”, a Chinese threat actor group who specializes in cryptojacking, has shifted gears on how they’re stealing your cycles.
Read More -
Discover how to implementing effective threat detection for AWS that provides visibility into all of your cloud services and containers.
Read More
Related rules
- File Made Executable via Chmod Inside A Container
- AWS Credentials Searched For Inside A Container
- Container Management Utility Run Inside A Container
- Container Workload Protection
- Interactive Exec Command Launched Against A Running Container