mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-06 17:35:19 +00:00
21 lines
593 B
YAML
21 lines
593 B
YAML
title: Code Injection by ld.so Preload
|
|
id: 7e3c4651-c347-40c4-b1d4-d48590fdf684
|
|
status: experimental
|
|
description: Detects the ld.so preload persistence file. See `man ld.so` for more information.
|
|
author: Christian Burkard
|
|
date: 2021/05/05
|
|
references:
|
|
- https://man7.org/linux/man-pages/man8/ld.so.8.html
|
|
logsource:
|
|
product: linux
|
|
detection:
|
|
keyword:
|
|
- '/etc/ld.so.preload'
|
|
condition: keyword
|
|
falsepositives:
|
|
- rare temporary workaround for library misconfiguration
|
|
level: high
|
|
tags:
|
|
- attack.persistence
|
|
- attack.privilege_escalation
|
|
- attack.t1574.006 |