Suspected dynamic linker hijacking attempt

Classification:

attack

Tactic:

TA0004-privilege-escalation

Technique:

T1574-hijack-execution-flow

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Goal

Detect attempts to load a malicious library.

Strategy

After an attacker’s initial intrusion into a victim container or host (for example, through a web shell exploit), they may attempt to escalate privileges, evade defenses, or establish persistence by hijacking environment variables such as LD_PRELOAD, or configuration files such as /etc/ld.so.preload/, which the dynamic linker uses to load shared libraries.

Triage and response

  1. Determine whether or not this is expected behavior.
  2. If this behavior is unexpected, attempt to contain the compromise (this may be achieved by terminating the workload, depending on the stage of attack) and look for indications of initial compromise. Follow your organization’s internal processes for investigating and remediating compromised systems.
  3. Determine the nature of the attack and utilities involved. Investigate security signals (if present) occurring around the time of the event to establish an attack path.
  4. Find and repair the root cause of the exploit.

Requires Agent version 7.39 or greater