Modification of Dynamic Linker Preload Shared Object Inside A Container

edit

Modification of Dynamic Linker Preload Shared Object Inside A Container

edit

This rule detects the creation or modification of the dynamic linker preload shared object (ld.so.preload) inside a container. The Linux dynamic linker is used to load libraries needed by a program at runtime. Adversaries may hijack the dynamic linker by modifying the /etc/ld.so.preload file to point to malicious libraries. This behavior can be used to grant unauthorized access to system resources and has been used to evade detection of malicious processes in container environments.

Rule type: eql

Rule indices:

  • logs-cloud_defend*

Severity: high

Risk score: 73

Runs every: 5m

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Data Source: Elastic Defend for Containers
  • Domain: Container
  • Tactic: Defense Evasion

Version: 1

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule query

edit
file where event.module== "cloud_defend" and event.type != "deletion" and file.path== "/etc/ld.so.preload"

Framework: MITRE ATT&CKTM