IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Modification of Dynamic Linker Preload Shared Object Modification of Environment Variable via Launchctl »

› › ›

Modification of Dynamic Linker Preload Shared Object Inside A Container

edit

Modification of Dynamic Linker Preload Shared Object Inside A Container

edit

This rule detects the creation or modification of the dynamic linker preload shared object (ld.so.preload) inside a container. The Linux dynamic linker is used to load libraries needed by a program at runtime. Adversaries may hijack the dynamic linker by modifying the /etc/ld.so.preload file to point to malicious libraries. This behavior can be used to grant unauthorized access to system resources and has been used to evade detection of malicious processes in container environments.

Rule type: eql

Rule indices:

logs-cloud_defend*

Severity: high

Risk score: 73

Runs every: 5m

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Data Source: Elastic Defend for Containers
Domain: Container
Tactic: Defense Evasion

Version: 1

Rule authors:

Elastic

Rule license: Elastic License v2

Rule query

edit

file where event.module== "cloud_defend" and event.type != "deletion" and file.path== "/etc/ld.so.preload"

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
Technique:
- Name: Hijack Execution Flow
- ID: T1574
- Reference URL: https://attack.mitre.org/techniques/T1574/
Sub-technique:
- Name: Dynamic Linker Hijacking
- ID: T1574.006
- Reference URL: https://attack.mitre.org/techniques/T1574/006/

« Modification of Dynamic Linker Preload Shared Object Modification of Environment Variable via Launchctl »