title: Code Injection by ld.so Preload
id: 7e3c4651-c347-40c4-b1d4-d48590fdf684
status: experimental
description: Detects the ld.so preload persistence file. See `man ld.so` for more information.
author: Christian Burkard
date: 2021/05/05
references:
    - https://man7.org/linux/man-pages/man8/ld.so.8.html
logsource:
    product: linux
detection:
    keyword: 
        - '/etc/ld.so.preload'
    condition: keyword
falsepositives:
    - rare temporary workaround for library misconfiguration
level: high
tags:
    - attack.persistence
    - attack.privilege_escalation
    - attack.t1574.006