← Library
splApache-2.0from splunk/security_content

Linux Auditd Preload Hijack Library Calls

The following analytic detects the use of the LD_PRELOAD environment variable to hijack or hook library functions on a Linux platform. It leverages data from Linux Auditd, focusing on process execution logs that include command-line details. This activity is significant because adversaries, malware authors, and red teamers commonly use this technique to gain elevated privileges and establish persistence on a compromised machine. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, and maintain long-term access to the system.

Quality
59
FP risk
Forks
0
Views
0
Rule sourcedetections/endpoint/linux_auditd_preload_hijack_library_calls.yml
`linux_auditd` execve_command = "*LD_PRELOAD*"
  | rename host as dest
  | rename comm as process_name
  | rename exe as process
  | stats count min(_time) as firstTime max(_time) as lastTime
    BY argc execve_command dest
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)`
  | `linux_auditd_preload_hijack_library_calls_filter`