Editing ld.so.preload for persistence and injection

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-06-18
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent with eXtended Threat Hunting (XTH)

Detection Modules

ATT&CK Tactic

Persistence (TA0003)

ATT&CK Technique

Hijack Execution Flow: Dynamic Linker Hijacking (T1574.006)

Severity

High

Description

Attackers may modify ld.so.preload to load their malicious code into every dynamically linked process.

Attacker's Goals

Gain persistence and inject itself into every program on the system.

Investigative actions

  • Check whether the executing process is benign, and if this was a desired behavior as part of its normal execution flow.
  • Download the /etc/ld.so.preload file from the host and see if and what libraries are specified there.
  • Download any library specified and see if it's benign.