T1055.014 VDSO Hijacking Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// Detect VDSO hijacking indicators on Linux endpoints
// Monitor for suspicious access to [vdso] memory regions and GOT modifications
Syslog
| where TimeGenerated > ago(24h)
| where SyslogMessage has_any ("vdso", "linux-gate", "linux-vdso")
| where SyslogMessage has_any ("ptrace", "inject", "mmap", "mprotect")
| where SyslogMessage !has "gdb" and SyslogMessage !has "strace"
| project TimeGenerated, Computer, SyslogMessage, Facility, SeverityLevel
| sort by TimeGenerated desc
| union (
    Syslog
    | where TimeGenerated > ago(24h)
    | where SyslogMessage has "mprotect" and SyslogMessage has "PROT_EXEC"
    | where SyslogMessage !has "ld-linux" and SyslogMessage !has "libc"
    | project TimeGenerated, Computer, SyslogMessage, Facility, SeverityLevel
)
| sort by TimeGenerated desc

high severity low confidence

Data Sources

Process: OS API Execution Process: Process Access Linux auditd Syslog

Required Tables

Syslog

False Positives

Dynamic linker (ld-linux.so) performing legitimate GOT updates during shared library loading
Security tools performing ELF binary analysis and memory inspection
JIT compilers (Java, V8/Node.js) using mprotect to make JIT-compiled code executable
Debug tools inspecting vdso memory for debugging purposes

Splunk

spl

index=linux sourcetype="linux:audit" type=SYSCALL
| eval syscall_name=case(
    syscall="101", "ptrace",
    syscall="10", "mprotect",
    syscall="9", "mmap",
    syscall="232", "epoll_wait",
    1=1, syscall
)
| where syscall_name IN ("ptrace", "mprotect", "mmap")
| eval exe_name=mvindex(split(exe, "/"), -1)
| search NOT exe_name IN ("gdb", "strace", "ltrace", "valgrind", "java", "node", "dockerd", "containerd")
| eval VDSOIndicator=case(
    syscall_name="ptrace" AND (a0="1" OR a0="2" OR a0="4" OR a0="5"), "HIGH - ptrace PEEK/POKE (memory read/write for VDSO patching)",
    syscall_name="mprotect" AND match(a2, "(5|7)"), "MEDIUM - mprotect with EXEC flag (making memory executable)",
    syscall_name="mmap" AND match(a2, "(5|7)"), "MEDIUM - mmap with EXEC flag",
    1=1, "LOW"
)
| where VDSOIndicator!="LOW"
| table _time, host, auid, uid, exe, pid, syscall_name, a0, a1, a2, VDSOIndicator
| sort - _time

high severity low confidence

Data Sources

Process: OS API Execution Linux auditd syscall audit records

Required Sourcetypes

linux:audit

False Positives

Dynamic linker performing legitimate GOT resolution
JIT compilers making memory executable
Security analysis tools inspecting ELF structures
Container runtimes using ptrace and mmap for process management

Elastic Security (EQL)

eql

sequence by host.id, process.pid with maxspan=30s
  [process where event.type == "start" and
   process.name != null and
   process.name not in ("gdb", "strace", "ltrace", "valgrind", "java", "node", "dockerd", "containerd") and
   host.os.type == "linux"]
  [process where event.action == "exec" and
   process.args : ("ptrace", "mprotect", "mmap") and
   host.os.type == "linux"]

OR

any where host.os.type == "linux" and
  event.dataset == "auditd" and
  auditd.data.syscall in ("ptrace", "mprotect", "mmap") and
  (
    (auditd.data.syscall == "ptrace" and auditd.data.a0 in ("1", "2", "4", "5")) or
    (auditd.data.syscall in ("mprotect", "mmap") and auditd.data.a2 : ("5", "7", "0x5", "0x7"))
  ) and
  not process.executable : ("/usr/bin/gdb", "/usr/bin/strace", "/usr/bin/ltrace", "/usr/bin/valgrind", "/usr/bin/java", "*/dockerd", "*/containerd")

high severity medium confidence

Data Sources

Linux auditd Elastic Agent auditd integration Filebeat auditd module

Required Tables

logs-auditd* auditbeat-* .ds-logs-auditd*

False Positives

Legitimate debuggers (gdb, lldb) performing process inspection will trigger ptrace PEEK/POKE events during normal debugging sessions
JIT compilation runtimes such as Java HotSpot, Node.js V8, and .NET CLR use mprotect with PROT_EXEC to make JIT-compiled memory regions executable
Dynamic linker (ld-linux) and libc use mmap and mprotect with executable flags when loading shared libraries during application startup

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  hostname,
  username,
  QIDNAME(qid) AS event_name,
  "payload",
  LOGSOURCENAME(logsourceid) AS log_source
FROM events
WHERE
  logsourcetypeid = 105
  AND LOGSOURCENAME(logsourceid) LIKE '%auditd%'
  AND devicetime > (NOW() - 86400000)
  AND (
    (
      payload ILIKE '%syscall%'
      AND (
        payload ILIKE '%ptrace%'
        OR payload ILIKE '%mprotect%'
        OR payload ILIKE '%mmap%'
      )
      AND (
        payload ILIKE '%vdso%'
        OR payload ILIKE '%linux-gate%'
        OR payload ILIKE '%linux-vdso%'
        OR payload ILIKE '%PROT_EXEC%'
        OR payload ILIKE '%0x5 %'
        OR payload ILIKE '%0x7 %'
      )
    )
    OR (
      payload ILIKE '%ptrace%'
      AND (
        payload ILIKE '% a0=1 %'
        OR payload ILIKE '% a0=2 %'
        OR payload ILIKE '% a0=4 %'
        OR payload ILIKE '% a0=5 %'
      )
    )
  )
  AND payload NOT ILIKE '%exe="/usr/bin/gdb"%'
  AND payload NOT ILIKE '%exe="/usr/bin/strace"%'
  AND payload NOT ILIKE '%exe="/usr/bin/ltrace"%'
  AND payload NOT ILIKE '%exe="/usr/bin/valgrind"%'
  AND payload NOT ILIKE '%exe="/usr/bin/java"%'
  AND payload NOT ILIKE '%ld-linux%'
  AND payload NOT ILIKE '%libc%'
ORDER BY devicetime DESC
LIMIT 1000

high severity medium confidence

Data Sources

Linux auditd via QRadar DSM Syslog via QRadar Universal DSM

Required Tables

events

False Positives

Security scanning tools and endpoint agents that perform memory inspection may generate ptrace events matching this pattern during regular scans
Containerized JVM-based applications frequently use mprotect with PROT_EXEC for JIT code regions; container runtime processes may appear suspicious without context
Custom application loaders and plugin frameworks that use dlopen/dlmopen at runtime can trigger mmap with executable flags when loading shared objects dynamically

Sumo Logic CSE

sql

_sourceCategory=*linux* OR _sourceCategory=*auditd*
| parse regex "type=SYSCALL.*?syscall=(?P<syscall_num>\d+)" nodrop
| parse regex "exe=\"(?P<exe_path>[^\"]+)\"" nodrop
| parse regex "\bpid=(?P<pid>\d+)" nodrop
| parse regex "\bauid=(?P<auid>\d+)" nodrop
| parse regex "\buid=(?P<uid>\d+)" nodrop
| parse regex "\ba0=(?P<a0>[0-9a-fx]+)" nodrop
| parse regex "\ba2=(?P<a2>[0-9a-fx]+)" nodrop
| where syscall_num in ("9", "10", "101")
| eval syscall_name = if(syscall_num == "101", "ptrace",
    if(syscall_num == "10", "mprotect",
    if(syscall_num == "9", "mmap", syscall_num)))
| eval exe_name = replace(exe_path, ".*/(.*)", "\1")
| where !(exe_name in ("gdb", "strace", "ltrace", "valgrind", "java", "node", "dockerd", "containerd"))
| where !(exe_path matches "*ld-linux*") and !(exe_path matches "*libc*")
| eval vdso_indicator = if(syscall_name == "ptrace" and a0 in ("1", "2", "4", "5"),
    "HIGH - ptrace PEEK/POKE (VDSO patching risk)",
    if((syscall_name == "mprotect" or syscall_name == "mmap") and (a2 matches "*5*" or a2 matches "*7*"),
    "MEDIUM - executable flag set on memory region",
    "LOW"))
| where vdso_indicator != "LOW"
| fields _messageTime, _sourceHost, auid, uid, exe_path, pid, syscall_name, a0, a2, vdso_indicator
| sort by _messageTime desc

high severity medium confidence

Data Sources

Linux auditd via Sumo Logic Installed Collector Syslog collector for Linux audit logs

Required Tables

_sourceCategory=*auditd* _sourceCategory=*linux*

False Positives

Performance profiling tools such as perf, SystemTap, and DTrace use ptrace internally and will generate high-severity alerts that are benign in development and performance testing contexts
Container orchestration platforms (Kubernetes, Docker) frequently execute mprotect and mmap with executable flags when starting new containers or loading container runtime components
Interpreted language runtimes (Python with ctypes/cffi, Ruby with fiddle, Perl with Inline::C) use mmap with executable flags when calling into native shared libraries

Google Chronicle / SecOps

yaral

rule vdso_hijacking_t1055_014 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects VDSO hijacking indicators: suspicious ptrace PEEK/POKE operations or mprotect/mmap with executable flags on Linux endpoints, excluding known legitimate debuggers."
    mitre_attack_tactic = "Defense Evasion, Privilege Escalation"
    mitre_attack_technique = "T1055.014"
    severity = "HIGH"
    confidence = "MEDIUM"
    created = "2026-04-18"
    platform = "Linux"

  events:
    $e.metadata.event_type = "PROCESS_OPEN"
    $e.target.process.command_line != ""
    (
      (
        re.regex($e.principal.process.file.full_path, `vdso|linux-gate|linux-vdso`) or
        re.regex($e.target.process.command_line, `vdso|linux-gate|linux-vdso`)
      )
      or
      (
        re.regex($e.target.process.command_line, `ptrace|mprotect|mmap`) and
        (
          re.regex($e.target.process.command_line, `PROT_EXEC|0x[57]\b`) or
          re.regex($e.principal.process.command_line, `a0=[1245]\s`)
        )
      )
    )
    not re.regex($e.principal.process.file.full_path, `/(usr/)?(bin|lib)/(gdb|strace|ltrace|valgrind|java|node|dockerd|containerd|ld-linux|libc)`)
    not re.regex($e.target.process.file.full_path, `/(usr/)?(bin|lib)/(gdb|strace|ltrace|valgrind|java|node|dockerd|containerd|ld-linux|libc)`)

  condition:
    $e
}

high severity medium confidence

Data Sources

Google Chronicle SIEM with Linux endpoint telemetry Chronicle UDM events from auditd or endpoint agent

Required Tables

udm_events

False Positives

Security research and reverse engineering workflows legitimately use ptrace PEEK/POKE to inspect process memory, which will match the HIGH severity indicator in non-production environments
Build systems and compilers (gcc, clang) with link-time optimization and profile-guided optimization create and modify executable memory mappings that may trigger the mprotect/mmap indicators
Electron-based applications and Chromium-derived browsers heavily use mprotect with PROT_EXEC for their V8 JIT compiler, generating medium-severity alerts that are expected behavior

CrowdStrike LogScale (CQL)

cql

// VDSO Hijacking Detection — T1055.014
// Detect ptrace PEEK/POKE and executable mprotect/mmap on Linux

#event_simpleName=SyntheticProcessRollup2 OR #event_simpleName=ProcessRollup2
| FileName != "gdb" AND FileName != "strace" AND FileName != "ltrace" AND FileName != "valgrind" AND FileName != "java" AND FileName != "node" AND FileName != "dockerd" AND FileName != "containerd"
| ImageFileName !~ regex("ld-linux|libc")
| join(
    [#event_simpleName=SyscallAudit
    | SyscallName in ("ptrace", "mprotect", "mmap")
    | eval VDSOIndicator = case(
        SyscallName == "ptrace" AND Arg0 in ("1", "2", "4", "5"), "HIGH - ptrace PEEK/POKE targeting VDSO",
        SyscallName == "mprotect" AND Arg2 in ("5", "7", "0x5", "0x7"), "MEDIUM - mprotect EXEC flag (VDSO write)",
        SyscallName == "mmap" AND Arg2 in ("5", "7", "0x5", "0x7"), "MEDIUM - mmap EXEC flag",
        true(), "LOW"
      )
    | VDSOIndicator != "LOW"
    ],
    field=TargetProcessId,
    include=[SyscallName, Arg0, Arg2, VDSOIndicator]
  )
| groupBy([ComputerName, FileName, ImageFileName, TargetProcessId, SyscallName, Arg0, Arg2, VDSOIndicator], function=[count(as=EventCount), min(timestamp, as=FirstSeen), max(timestamp, as=LastSeen)])
| sort(LastSeen, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon sensor on Linux (kernel 3.10+) CrowdStrike Falcon SyscallAudit events

Required Tables

SyscallAudit ProcessRollup2 SyntheticProcessRollup2

False Positives

Automated test frameworks that use ptrace for code coverage instrumentation (gcov, kcov, Intel PIN) will produce HIGH-severity hits during CI/CD pipeline execution on Linux build agents
Memory-safe language runtimes with garbage collectors (Go, Rust with jemalloc, D) occasionally use mprotect to change memory region permissions during GC cycles, generating medium-severity hits
Sandboxing frameworks such as Firejail, bubblewrap, and seccomp-based sandbox escape detection tools may inspect vdso mappings and perform ptrace operations as part of their own security monitoring

VDSO Hijacking

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections