2019-10-28 10:59:49 +00:00
title : Modification of ld.so.preload
2019-12-19 22:56:36 +00:00
id : 4b3cb710-5e83-4715-8c45-8b2b5b3e5751
2019-10-28 10:59:49 +00:00
status : experimental
2020-09-14 04:03:04 +00:00
description : Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes.
2019-11-10 22:44:53 +00:00
author : E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community
2019-10-28 10:59:49 +00:00
date : 2019 /10/24
2019-11-10 22:44:53 +00:00
modified : 2019 /11/11
references :
2020-08-04 16:48:18 +00:00
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.yaml
2019-11-10 22:44:53 +00:00
- https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html
2019-10-28 10:59:49 +00:00
logsource :
product : linux
service : auditd
detection :
selection :
type : 'PATH'
2019-11-10 22:44:53 +00:00
name : '/etc/ld.so.preload'
2019-10-28 10:59:49 +00:00
condition : selection
falsepositives :
2019-11-10 22:44:53 +00:00
- Unknown
2020-01-19 21:34:16 +00:00
level : high
2020-09-14 04:03:04 +00:00
tags :
- attack.defense_evasion
- attack.t1574.006