---
title: Auditd dynamic linker config modified
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > Datadog Security > OOTB Rules > Auditd dynamic linker config modified
---

# Auditd dynamic linker config modified
Classification:attackTactic:[TA0004-privilege-escalation](https://attack.mitre.org/tactics/TA0004)Technique:[T1574-hijack-execution-flow](https://attack.mitre.org/techniques/T1574) 
## Goal{% #goal %}

Detect modifications to `/etc/ld.so.preload`, a file used by the Linux dynamic linker to preload shared libraries for every process. Attackers abuse this file to inject malicious libraries system-wide, enabling privilege escalation or persistent code execution.

## Strategy{% #strategy %}

This rule correlates two auditd events sharing the same `event_id`: a PATH record showing `/etc/ld.so.preload` was accessed, and a SYSCALL record for an `openat` call (File System Activity, Read). Requiring both records reduces false positives from unrelated file reads.

## Triage and response{% #triage-and-response %}

1. Identify the process that opened `/etc/ld.so.preload` using `{{@ocsf.actor.process.path}}` and `{{@ocsf.actor.process.name}}` from the correlated SYSCALL record.
1. Review the current contents of `/etc/ld.so.preload` on host `{{host}}` to determine if a malicious library path was written.
1. Check when the file was last modified (`stat /etc/ld.so.preload`) and correlate with surrounding process and authentication logs.
1. If unauthorized, remove the malicious entry, terminate any processes that preloaded the library, and investigate the initial access vector.