For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/default_rules/def-000-abx.md. A documentation index is available at /llms.txt.

Auditd dynamic linker config modified

linux-audit-logs

Classification:

attack

Tactic:

TA0004-privilege-escalation

Technique:

T1574-hijack-execution-flow

Goal

Detect modifications to /etc/ld.so.preload, a file used by the Linux dynamic linker to preload shared libraries for every process. Attackers abuse this file to inject malicious libraries system-wide, enabling privilege escalation or persistent code execution.

Strategy

This rule correlates two auditd events sharing the same event_id: a PATH record showing /etc/ld.so.preload was accessed, and a SYSCALL record for an openat call (File System Activity, Read). Requiring both records reduces false positives from unrelated file reads.

Triage and response

  1. Identify the process that opened /etc/ld.so.preload using {{@ocsf.actor.process.path}} and {{@ocsf.actor.process.name}} from the correlated SYSCALL record.
  2. Review the current contents of /etc/ld.so.preload on host {{host}} to determine if a malicious library path was written.
  3. Check when the file was last modified (stat /etc/ld.so.preload) and correlate with surrounding process and authentication logs.
  4. If unauthorized, remove the malicious entry, terminate any processes that preloaded the library, and investigate the initial access vector.