Disable ASLR Via Personality Syscall - Linux

calendar Jun 5, 2025 · attack.defense-evasion attack.t1562.001 attack.t1055.009  ·
Share on: linkedin copy

Detects the use of the personality syscall with the ADDR_NO_RANDOMIZE flag (0x0040000), which disables Address Space Layout Randomization (ASLR) in Linux. This is often used by attackers exploit development, or to bypass memory protection mechanisms. A successful use of this flag can reduce the effectiveness of ASLR and make memory corruption attacks more reliable.

Sigma rule (View on GitHub)

 1title: Disable ASLR Via Personality Syscall - Linux
 2id: e497a24e-9345-4a62-9803-b06d7d7cb132
 3status: experimental
 4description: |
 5    Detects the use of the `personality` syscall with the ADDR_NO_RANDOMIZE flag (0x0040000),
 6    which disables Address Space Layout Randomization (ASLR) in Linux. This is often used by attackers
 7    exploit development, or to bypass memory protection mechanisms.
 8    A successful use of this flag can reduce the effectiveness of ASLR and make memory corruption
 9    attacks more reliable.    
10references:
11    - https://github.com/CheraghiMilad/bypass-Neo23x0-auditd-config/blob/f1c478a37911a5447d5ffcd580f22b167bf3df14/personality-syscall/README.md
12    - https://man7.org/linux/man-pages/man2/personality.2.html
13    - https://manual.cs50.io/2/personality
14author: Milad Cheraghi
15date: 2025-05-26
16modified: 2025-06-05
17tags:
18    - attack.defense-evasion
19    - attack.t1562.001
20    - attack.t1055.009
21logsource:
22    product: linux
23    service: auditd
24detection:
25    selection:
26        type: 'SYSCALL'
27        syscall: 'personality'
28        a0: 40000
29    condition: selection
30falsepositives:
31    - Debugging or legitimate software testing
32level: low

References

Related rules

to-top