Code Injection by ld.so Preload
Detects the ld.so preload persistence file. See man ld.so for more information.
Sigma rule (View on GitHub)
1title: Code Injection by ld.so Preload
2id: 7e3c4651-c347-40c4-b1d4-d48590fdf684
3status: test
4description: Detects the ld.so preload persistence file. See `man ld.so` for more information.
5references:
6 - https://man7.org/linux/man-pages/man8/ld.so.8.html
7author: Christian Burkard (Nextron Systems)
8date: 2021/05/05
9modified: 2022/10/09
10tags:
11 - attack.persistence
12 - attack.privilege_escalation
13 - attack.t1574.006
14logsource:
15 product: linux
16detection:
17 keywords:
18 - '/etc/ld.so.preload'
19 condition: keywords
20falsepositives:
21 - Rare temporary workaround for library misconfiguration
22level: high
References
-
ld.so(8) — Linux manual page ld.so(8) System Manager's Manual ld.so(8) NAME top ld.so, ld-linux.so - dynamic linker/loader SYNOPSIS top The dynamic linker can be run either indirect...
Read More
Related rules
- Malicious Service Installations
- WMI Persistence - Security
- Loading of Kernel Module via Insmod
- Suspicious Commands by SQL Server
- UAC Bypass With Fake DLL