Dynamic Linker (ld.so) Creation
This rule detects the creation of the dynamic linker (ld.so) file. The dynamic linker is used to load shared libraries needed by an executable. Attackers may attempt to replace the dynamic linker with a malicious version to execute arbitrary code.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/12/16"
3integration = ["endpoint", "sentinel_one_cloud_funnel"]
4maturity = "production"
5min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
6min_stack_version = "8.13.0"
7updated_date = "2025/01/15"
8
9[rule]
10author = ["Elastic"]
11description = """
12This rule detects the creation of the dynamic linker (ld.so) file. The dynamic linker is used to load shared libraries
13needed by an executable. Attackers may attempt to replace the dynamic linker with a malicious version to execute
14arbitrary code.
15"""
16from = "now-9m"
17index = ["logs-endpoint.events.file*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Dynamic Linker (ld.so) Creation"
21risk_score = 21
22rule_id = "06d555e4-c8ce-4d90-90e1-ec7f66df5a6a"
23setup = """## Setup
24
25This rule requires data coming in from Elastic Defend.
26
27### Elastic Defend Integration Setup
28Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
29
30#### Prerequisite Requirements:
31- Fleet is required for Elastic Defend.
32- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
33
34#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
35- Go to the Kibana home page and click "Add integrations".
36- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
37- Click "Add Elastic Defend".
38- Configure the integration name and optionally add a description.
39- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
40- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
41- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
42- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
43For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
44- Click "Save and Continue".
45- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
46For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
47"""
48severity = "low"
49tags = [
50 "Domain: Endpoint",
51 "OS: Linux",
52 "Use Case: Threat Detection",
53 "Tactic: Defense Evasion",
54 "Tactic: Execution",
55 "Tactic: Persistence",
56 "Data Source: Elastic Defend",
57 "Data Source: SentinelOne",
58 "Data Source: Elastic Endgame",
59 "Resources: Investigation Guide",
60]
61timestamp_override = "event.ingested"
62type = "eql"
63query = '''
64file where host.os.type == "linux" and event.type == "creation" and process.executable != null and
65file.path like~ ("/lib/ld-linux*.so*", "/lib64/ld-linux*.so*", "/usr/lib/ld-linux*.so*", "/usr/lib64/ld-linux*.so*") and
66not process.name in ("dockerd", "yum", "dnf", "microdnf", "pacman")
67'''
68note = """## Triage and analysis
69
70> **Disclaimer**:
71> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
72
73### Investigating Dynamic Linker (ld.so) Creation
74
75The dynamic linker, ld.so, is crucial in Linux environments for loading shared libraries required by executables. Adversaries may exploit this by replacing it with a malicious version to execute unauthorized code, achieving persistence or evading defenses. The detection rule identifies suspicious creation of ld.so files, excluding benign processes, to flag potential threats.
76
77### Possible investigation steps
78
79- Review the process that triggered the alert by examining the process.executable field to understand which application attempted to create the ld.so file.
80- Check the process.name field to ensure the process is not one of the benign processes listed in the exclusion criteria, such as "dockerd", "yum", "dnf", "microdnf", or "pacman".
81- Investigate the file.path to confirm the location of the newly created ld.so file and verify if it matches any of the specified directories like "/lib", "/lib64", "/usr/lib", or "/usr/lib64".
82- Analyze the parent process of the suspicious executable to determine if it was initiated by a legitimate or potentially malicious source.
83- Look for any recent changes or anomalies in the system logs around the time of the file creation event to identify any related suspicious activities.
84- Cross-reference the event with other security tools or logs, such as Elastic Defend or SentinelOne, to gather additional context or corroborating evidence of malicious activity.
85- Assess the risk and impact of the event by considering the system's role and the potential consequences of a compromised dynamic linker on that system.
86
87### False positive analysis
88
89- Package managers like yum, dnf, microdnf, and pacman can trigger false positives when they update or install packages that involve the dynamic linker. These processes are already excluded in the rule, but ensure any custom package managers or scripts are also considered for exclusion.
90- Container management tools such as dockerd may create or modify ld.so files during container operations. If you use other container tools, consider adding them to the exclusion list to prevent false positives.
91- System updates or maintenance scripts that involve library updates might create ld.so files. Review these scripts and add them to the exclusion list if they are verified as non-threatening.
92- Custom administrative scripts or automation tools that interact with shared libraries could inadvertently trigger the rule. Identify these scripts and exclude them if they are part of regular, secure operations.
93- Development environments where ld.so files are frequently created or modified during testing and compilation processes may need specific exclusions for development tools or environments to avoid false positives.
94
95### Response and remediation
96
97- Immediately isolate the affected system from the network to prevent further malicious activity and lateral movement.
98- Verify the integrity of the dynamic linker (ld.so) on the affected system by comparing it with a known good version from a trusted source or repository.
99- If the dynamic linker has been tampered with, replace it with the verified version and ensure all system binaries are intact.
100- Conduct a thorough scan of the system using updated antivirus or endpoint detection tools to identify and remove any additional malicious files or processes.
101- Review system logs and the process creation history to identify the source of the unauthorized ld.so creation and any associated malicious activity.
102- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if other systems are affected.
103- Implement additional monitoring and alerting for similar suspicious activities, such as unauthorized file creations in critical system directories, to enhance future detection capabilities."""
104
105[[rule.threat]]
106framework = "MITRE ATT&CK"
107
108 [rule.threat.tactic]
109 name = "Defense Evasion"
110 id = "TA0005"
111 reference = "https://attack.mitre.org/tactics/TA0005/"
112
113 [[rule.threat.technique]]
114 id = "T1218"
115 name = "System Binary Proxy Execution"
116 reference = "https://attack.mitre.org/techniques/T1218/"
117
118[[rule.threat]]
119framework = "MITRE ATT&CK"
120
121 [rule.threat.tactic]
122 name = "Execution"
123 id = "TA0002"
124 reference = "https://attack.mitre.org/tactics/TA0002/"
125
126 [[rule.threat.technique]]
127 id = "T1059"
128 name = "Command and Scripting Interpreter"
129 reference = "https://attack.mitre.org/techniques/T1059/"
130
131 [[rule.threat.technique.subtechnique]]
132 name = "Unix Shell"
133 id = "T1059.004"
134 reference = "https://attack.mitre.org/techniques/T1059/004/"
135
136[[rule.threat]]
137framework = "MITRE ATT&CK"
138
139 [rule.threat.tactic]
140 name = "Persistence"
141 id = "TA0003"
142 reference = "https://attack.mitre.org/tactics/TA0003/"
143
144 [[rule.threat.technique]]
145 name = "Hijack Execution Flow"
146 id = "T1574"
147 reference = "https://attack.mitre.org/techniques/T1574/"
148
149 [[rule.threat.technique.subtechnique]]
150 name = "Dynamic Linker Hijacking"
151 id = "T1574.006"
152 reference = "https://attack.mitre.org/techniques/T1574/006/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Dynamic Linker (ld.so) Creation
The dynamic linker, ld.so, is crucial in Linux environments for loading shared libraries required by executables. Adversaries may exploit this by replacing it with a malicious version to execute unauthorized code, achieving persistence or evading defenses. The detection rule identifies suspicious creation of ld.so files, excluding benign processes, to flag potential threats.
Possible investigation steps
- Review the process that triggered the alert by examining the process.executable field to understand which application attempted to create the ld.so file.
- Check the process.name field to ensure the process is not one of the benign processes listed in the exclusion criteria, such as "dockerd", "yum", "dnf", "microdnf", or "pacman".
- Investigate the file.path to confirm the location of the newly created ld.so file and verify if it matches any of the specified directories like "/lib", "/lib64", "/usr/lib", or "/usr/lib64".
- Analyze the parent process of the suspicious executable to determine if it was initiated by a legitimate or potentially malicious source.
- Look for any recent changes or anomalies in the system logs around the time of the file creation event to identify any related suspicious activities.
- Cross-reference the event with other security tools or logs, such as Elastic Defend or SentinelOne, to gather additional context or corroborating evidence of malicious activity.
- Assess the risk and impact of the event by considering the system's role and the potential consequences of a compromised dynamic linker on that system.
False positive analysis
- Package managers like yum, dnf, microdnf, and pacman can trigger false positives when they update or install packages that involve the dynamic linker. These processes are already excluded in the rule, but ensure any custom package managers or scripts are also considered for exclusion.
- Container management tools such as dockerd may create or modify ld.so files during container operations. If you use other container tools, consider adding them to the exclusion list to prevent false positives.
- System updates or maintenance scripts that involve library updates might create ld.so files. Review these scripts and add them to the exclusion list if they are verified as non-threatening.
- Custom administrative scripts or automation tools that interact with shared libraries could inadvertently trigger the rule. Identify these scripts and exclude them if they are part of regular, secure operations.
- Development environments where ld.so files are frequently created or modified during testing and compilation processes may need specific exclusions for development tools or environments to avoid false positives.
Response and remediation
- Immediately isolate the affected system from the network to prevent further malicious activity and lateral movement.
- Verify the integrity of the dynamic linker (ld.so) on the affected system by comparing it with a known good version from a trusted source or repository.
- If the dynamic linker has been tampered with, replace it with the verified version and ensure all system binaries are intact.
- Conduct a thorough scan of the system using updated antivirus or endpoint detection tools to identify and remove any additional malicious files or processes.
- Review system logs and the process creation history to identify the source of the unauthorized ld.so creation and any associated malicious activity.
- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if other systems are affected.
- Implement additional monitoring and alerting for similar suspicious activities, such as unauthorized file creations in critical system directories, to enhance future detection capabilities.
Related rules
- Git Hook Child Process
- Git Hook Created or Modified
- DNF Package Manager Plugin File Creation
- Directory Creation in /bin directory
- Git Hook Command Execution