Code Injection by ld.so Preload
Detects the ld.so preload persistence file. See man ld.so for more information.
Sigma rule (View on GitHub)
1title: Code Injection by ld.so Preload
2id: 7e3c4651-c347-40c4-b1d4-d48590fdf684
3status: test
4description: Detects the ld.so preload persistence file. See `man ld.so` for more information.
5references:
6 - https://man7.org/linux/man-pages/man8/ld.so.8.html
7author: Christian Burkard (Nextron Systems)
8date: 2021-05-05
9modified: 2022-10-09
10tags:
11 - attack.persistence
12 - attack.privilege-escalation
13 - attack.execution
14 - attack.stealth
15 - attack.t1574.006
16logsource:
17 product: linux
18detection:
19 keywords:
20 - '/etc/ld.so.preload'
21 condition: keywords
22falsepositives:
23 - Rare temporary workaround for library misconfiguration
24level: high
References
-
ld.so(8) — Linux manual page ld.so(8) System Manager's Manual ld.so(8) NAME top ld.so, ld-linux.so - dynamic linker/loader SYNOPSIS top The dynamic linker can be run either indirect...
Read More
Related rules
- Modification of ld.so.preload
- APT27 - Emissary Panda Activity
- AWS IAM S3Browser LoginProfile Creation
- AWS IAM S3Browser Templated S3 Bucket Policy Creation
- AWS IAM S3Browser User or AccessKey Creation