Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhighexperimental

ASLR Disabled Via Sysctl or Direct Syscall - Linux

Detects actions that disable Address Space Layout Randomization (ASLR) in Linux, including: - Use of the `personality` syscall with the ADDR_NO_RANDOMIZE flag (0x0040000) - Modification of the /proc/sys/kernel/randomize_va_space file - Execution of the `sysctl` command to set `kernel.randomize_va_space=0` Disabling ASLR is often used by attackers during exploit development or to bypass memory protection mechanisms. A successful use of these methods can reduce the effectiveness of ASLR and make memory corruption attacks more reliable.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Milad CheraghiCreated Mon May 26Updated Fri Dec 05e497a24e-9345-4a62-9803-b06d7d7cb132linux
Log Source
Linuxauditd
ProductLinux← raw: linux
Serviceauditd← raw: auditd
Detection Logic
Detection Logic2 selectors
detection:
    selection_syscall:
        type: 'SYSCALL'
        SYSCALL: 'personality'
        a0: 40000
    selection_sysctl:
        type: 'EXECVE'
        a0: 'sysctl'
        a1: '-w'
        a2: 'kernel.randomize_va_space=0' # 0 = disable
    condition: 1 of selection_*
False Positives

Debugging or legitimate software testing

References
1
Resolving title…
github.com
2
Resolving title…
man7.org
3
Resolving title…
manual.cs50.io
4
Resolving title…
linux-audit.com
MITRE ATT&CK
Rule Metadata
Rule ID
e497a24e-9345-4a62-9803-b06d7d7cb132
Status
experimental
Level
high
Type
Detection
Created
Mon May 26
Modified
Fri Dec 05
Author
Milad Cheraghi
Path
rules/linux/auditd/lnx_auditd_disable_aslr_protection.yml
Raw Tags
attack.privilege-escalationattack.defense-evasionattack.t1562.001attack.t1055.009
View on GitHub