ASLR Disabled Via Sysctl or Direct Syscall - Linux
Detects actions that disable Address Space Layout Randomization (ASLR) in Linux, including:
- Use of the
personalitysyscall with the ADDR_NO_RANDOMIZE flag (0x0040000) - Modification of the /proc/sys/kernel/randomize_va_space file
- Execution of the
sysctlcommand to setkernel.randomize_va_space=0Disabling ASLR is often used by attackers during exploit development or to bypass memory protection mechanisms. A successful use of these methods can reduce the effectiveness of ASLR and make memory corruption attacks more reliable.
Sigma rule (View on GitHub)
1title: ASLR Disabled Via Sysctl or Direct Syscall - Linux
2id: e497a24e-9345-4a62-9803-b06d7d7cb132
3status: experimental
4description: |
5 Detects actions that disable Address Space Layout Randomization (ASLR) in Linux, including:
6 - Use of the `personality` syscall with the ADDR_NO_RANDOMIZE flag (0x0040000)
7 - Modification of the /proc/sys/kernel/randomize_va_space file
8 - Execution of the `sysctl` command to set `kernel.randomize_va_space=0`
9 Disabling ASLR is often used by attackers during exploit development or to bypass memory protection mechanisms.
10 A successful use of these methods can reduce the effectiveness of ASLR and make memory corruption attacks more reliable.
11references:
12 - https://github.com/CheraghiMilad/bypass-Neo23x0-auditd-config/blob/f1c478a37911a5447d5ffcd580f22b167bf3df14/personality-syscall/README.md
13 - https://man7.org/linux/man-pages/man2/personality.2.html
14 - https://manual.cs50.io/2/personality
15 - https://linux-audit.com/linux-aslr-and-kernelrandomize_va_space-setting/
16author: Milad Cheraghi
17date: 2025-05-26
18modified: 2025-10-18
19tags:
20 - attack.privilege-escalation
21 - attack.defense-evasion
22 - attack.t1562.001
23 - attack.t1055.009
24logsource:
25 product: linux
26 service: auditd
27detection:
28 selection_syscall:
29 type: 'SYSCALL'
30 syscall: 'personality'
31 a0: 40000
32 selection_sysctl:
33 type: 'EXECVE'
34 a0: 'sysctl'
35 a1: '-w'
36 a2: 'kernel.randomize_va_space=0' # 0 = disable
37 condition: 1 of selection_*
38falsepositives:
39 - Debugging or legitimate software testing
40level: high
References
-
Contribute to CheraghiMilad/bypass-Neo23x0-auditd-config development by creating an account on GitHub.
Read More -
personality(2) — Linux manual page personality(2) System Calls Manual personality(2) NAME top personality - set the process execution domain LIBRARY top Standard C library (libc, -l...
Read More -
Linux supports different execution domains, or personalities, for each process. Among other things, execution domains tell Linux how to map signal numbers into signal actions. The execution domain ...
Read More -
ASLR protects the Linux kernel and programs against different attacks. It can be tuned with the randomize_va_space setting to provide different protections.
Read More
Related rules
- Potential Linux Process Code Injection Via DD Utility
- Kaspersky Endpoint Security Stopped Via CommandLine - Linux
- APT27 - Emissary Panda Activity
- AWS IAM S3Browser LoginProfile Creation
- AWS IAM S3Browser Templated S3 Bucket Policy Creation