Detectionhightest

Code Injection by ld.so Preload

Detects the ld.so preload persistence file. See `man ld.so` for more information.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Christian Burkard (Nextron Systems)Created Wed May 05Updated Sun Oct 097e3c4651-c347-40c4-b1d4-d48590fdf684linux

Log Source

Linux

ProductLinux← raw: linux

Detection Logic

detection:
    keywords:
        - '/etc/ld.so.preload'
    condition: keywords

False Positives

Rare temporary workaround for library misconfiguration

References

MITRE ATT&CK

Tactics

Sub-techniques

Rule Metadata

Rule ID

7e3c4651-c347-40c4-b1d4-d48590fdf684

Status

test

Level

high

Type

Detection

Created

Wed May 05

Modified

Sun Oct 09

Author

Path

rules/linux/builtin/lnx_ldso_preload_injection.yml

Raw Tags

attack.defense-evasionattack.persistenceattack.privilege-escalationattack.t1574.006