For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/default_rules/def-000-7o1.md. A documentation index is available at /llms.txt.

Dynamic linker config modified

Classification:

attack

Tactic:

TA0004-privilege-escalation

Technique:

T1574-hijack-execution-flow

Goal

Detect modifications to /etc/ld.so.preload, a file used by the Linux dynamic linker to preload shared libraries for every process. Attackers abuse this file to inject malicious libraries system-wide, enabling privilege escalation or persistent code execution.

Strategy

This rule fires on any File System Activity event (ocsf.class_uid:1001) targeting /etc/ld.so.preload. It is the cross-source counterpart to the linux-audit-logs rule of the same name and excludes that source so it does not double-fire on auditd events, which require event-id correlation to recover process context.

Triage and response

  1. Identify the process that touched /etc/ld.so.preload using {{@ocsf.actor.process.path}} and {{@ocsf.actor.process.name}}.
  2. Review the current contents of /etc/ld.so.preload on host {{host}} to determine if a malicious library path was written.
  3. Check when the file was last modified (stat /etc/ld.so.preload) and correlate with surrounding process and authentication logs.
  4. If unauthorized, remove the malicious entry, terminate any processes that preloaded the library, and investigate the initial access vector.