T1055.014 Google Chronicle · YARA-L

Detect VDSO Hijacking in Google Chronicle

Adversaries may inject malicious code into processes via VDSO hijacking in order to evade process-based defenses as well as possibly elevate privileges. Virtual dynamic shared object (vdso) hijacking is a method of executing arbitrary code in the address space of a separate live process. VDSO hijacking involves redirecting calls to dynamically linked shared libraries. Memory protections may prevent writing executable code to a process via Ptrace System Calls. However, an adversary may hijack the syscall interface code stubs mapped into a process from the vdso shared object to execute syscalls to open and map a malicious shared object. This code can then be invoked by redirecting the execution flow of the process via patched memory address references stored in a process' global offset table (which store absolute addresses of mapped library functions).

MITRE ATT&CK

Tactic
Defense Evasion Privilege Escalation
Technique
T1055 Process Injection
Sub-technique
T1055.014 VDSO Hijacking
Canonical reference
https://attack.mitre.org/techniques/T1055/014/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule vdso_hijacking_t1055_014 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects VDSO hijacking indicators: suspicious ptrace PEEK/POKE operations or mprotect/mmap with executable flags on Linux endpoints, excluding known legitimate debuggers."
    mitre_attack_tactic = "Defense Evasion, Privilege Escalation"
    mitre_attack_technique = "T1055.014"
    severity = "HIGH"
    confidence = "MEDIUM"
    created = "2026-04-18"
    platform = "Linux"

  events:
    $e.metadata.event_type = "PROCESS_OPEN"
    $e.target.process.command_line != ""
    (
      (
        re.regex($e.principal.process.file.full_path, `vdso|linux-gate|linux-vdso`) or
        re.regex($e.target.process.command_line, `vdso|linux-gate|linux-vdso`)
      )
      or
      (
        re.regex($e.target.process.command_line, `ptrace|mprotect|mmap`) and
        (
          re.regex($e.target.process.command_line, `PROT_EXEC|0x[57]\b`) or
          re.regex($e.principal.process.command_line, `a0=[1245]\s`)
        )
      )
    )
    not re.regex($e.principal.process.file.full_path, `/(usr/)?(bin|lib)/(gdb|strace|ltrace|valgrind|java|node|dockerd|containerd|ld-linux|libc)`)
    not re.regex($e.target.process.file.full_path, `/(usr/)?(bin|lib)/(gdb|strace|ltrace|valgrind|java|node|dockerd|containerd|ld-linux|libc)`)

  condition:
    $e
}
high severity medium confidence

Chronicle YARA-L 2.0 rule detecting VDSO hijacking attempts by monitoring for processes accessing vdso memory regions or executing ptrace PEEK/POKE and mprotect/mmap syscalls with executable flags, which are the primitive operations required to redirect execution via global offset table patching. Excludes known legitimate debugging and runtime tools.

Data Sources

Google Chronicle SIEM with Linux endpoint telemetryChronicle UDM events from auditd or endpoint agent

Required Tables

udm_events

False Positives & Tuning

  • Security research and reverse engineering workflows legitimately use ptrace PEEK/POKE to inspect process memory, which will match the HIGH severity indicator in non-production environments
  • Build systems and compilers (gcc, clang) with link-time optimization and profile-guided optimization create and modify executable memory mappings that may trigger the mprotect/mmap indicators
  • Electron-based applications and Chromium-derived browsers heavily use mprotect with PROT_EXEC for their V8 JIT compiler, generating medium-severity alerts that are expected behavior
Download portable Sigma rule (.yml)

Other platforms for T1055.014

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Inspect VDSO Memory Region

    Expected signal: auditd: open() on /proc/<pid>/maps. The VDSO mapping shows the address range of the vdso in the target process.

  2. Test 2Check GOT Entries of Running Process

    Expected signal: auditd: readlink and open on /proc/<pid>/exe, execution of readelf. No direct security events from GOT inspection — this is a defensive analysis technique.

  3. Test 3mprotect Executable Permission Change Detection

    Expected signal: Syslog: python3 process execution. No actual mprotect call with PROT_EXEC in this safe test. In a real attack: auditd SYSCALL record with syscall=10 (mprotect) and a2 containing PROT_EXEC flag.

Last updated: 2026-04-18 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1055.014 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1055Process Injection

Related Sub-techniques

T1055.001Dynamic-link Library InjectionT1055.002Portable Executable InjectionT1055.003Thread Execution HijackingT1055.004Asynchronous Procedure CallT1055.005Thread Local StorageT1055.008Ptrace System CallsT1055.009Proc MemoryT1055.011Extra Window Memory InjectionT1055.012Process HollowingT1055.013Process DoppelgangingT1055.015ListPlanting

Related Techniques

T1055Process InjectionT1055.008Ptrace System CallsT1055.009Proc MemoryT1574.006Dynamic Linker HijackingT1014Rootkit

Same Tactic: Defense Evasion

Popular Detections