---
title: Dynamic linker config modified
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > Datadog Security > OOTB Rules > Dynamic linker config modified
---

# Dynamic linker config modified
Classification:attackTactic:[TA0004-privilege-escalation](https://attack.mitre.org/tactics/TA0004)Technique:[T1574-hijack-execution-flow](https://attack.mitre.org/techniques/T1574) 
## Goal{% #goal %}

Detect modifications to `/etc/ld.so.preload`, a file used by the Linux dynamic linker to preload shared libraries for every process. Attackers abuse this file to inject malicious libraries system-wide, enabling privilege escalation or persistent code execution.

## Strategy{% #strategy %}

This rule fires on any File System Activity event (`ocsf.class_uid:1001`) targeting `/etc/ld.so.preload`. It is the cross-source counterpart to the `linux-audit-logs` rule of the same name and excludes that source so it does not double-fire on auditd events, which require event-id correlation to recover process context.

## Triage and response{% #triage-and-response %}

1. Identify the process that touched `/etc/ld.so.preload` using `{{@ocsf.actor.process.path}}` and `{{@ocsf.actor.process.name}}`.
1. Review the current contents of `/etc/ld.so.preload` on host `{{host}}` to determine if a malicious library path was written.
1. Check when the file was last modified (`stat /etc/ld.so.preload`) and correlate with surrounding process and authentication logs.
1. If unauthorized, remove the malicious entry, terminate any processes that preloaded the library, and investigate the initial access vector.