Dynamic linker hijacking attempt

Classification:

attack

Tactic:

TA0004-privilege-escalation

Technique:

T1574-hijack-execution-flow

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect attempts to load a malicious library.

Strategy

After an attacker’s initial intrusion into a victim container or host (for example, through a web shell exploit), they may attempt to escalate privileges, evade defenses, or establish persistence by hijacking environment variables such as LD_PRELOAD, or configuration files such as /etc/ld.so.preload/, which the dynamic linker uses to load shared libraries.

Requires Agent version 7.39 or greater