Unusual process access to ld.so.preload file

Cortex XDR Analytics Alert Reference by Alert name
Product
Cortex XDR
Last date published
2025-03-09
Category
Analytics Alert Reference
Index by
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent with eXtended Threat Hunting (XTH)

Detection Modules

Detector Tags

ATT&CK Tactic

Persistence (TA0003)

ATT&CK Technique

Hijack Execution Flow: Dynamic Linker Hijacking (T1574.006)

Severity

Medium

Description

Attackers can modify ld.so.preload to inject malicious code into every dynamically linked process, enabling persistence and code execution. This detected operation is considered atypical in terms of access.

Attacker's Goals

This allows attackers to inject malicious code into system processes, gain persistence, code injection, evading detection, and potentially escalating privileges.

Investigative actions

  • Check whether the executing process is benign, and if this was a desired behavior as part of its normal execution flow.
  • Download the /etc/ld.so.preload file from the host and see if and what libraries are specified there.
  • Download any library specified and see if it's benign.