Code Injection by ld.so Preload
Detects the ld.so preload persistence file. See man ld.so for more information.
Sigma rule (View on GitHub)
1title: Code Injection by ld.so Preload
2id: 7e3c4651-c347-40c4-b1d4-d48590fdf684
3status: test
4description: Detects the ld.so preload persistence file. See `man ld.so` for more information.
5references:
6 - https://man7.org/linux/man-pages/man8/ld.so.8.html
7author: Christian Burkard (Nextron Systems)
8date: 2021-05-05
9modified: 2022-10-09
10tags:
11 - attack.defense-evasion
12 - attack.persistence
13 - attack.privilege-escalation
14 - attack.t1574.006
15logsource:
16 product: linux
17detection:
18 keywords:
19 - '/etc/ld.so.preload'
20 condition: keywords
21falsepositives:
22 - Rare temporary workaround for library misconfiguration
23level: high
References
-
ld.so(8) — Linux manual page ld.so(8) System Manager's Manual ld.so(8) NAME top ld.so, ld-linux.so - dynamic linker/loader SYNOPSIS top The dynamic linker can be run either indirect...
Read More
Related rules
- Modification of ld.so.preload
- APT27 - Emissary Panda Activity
- AWS IAM S3Browser LoginProfile Creation
- AWS IAM S3Browser Templated S3 Bucket Policy Creation
- AWS IAM S3Browser User or AccessKey Creation