T1055.014 Elastic Security · Elastic

Detect VDSO Hijacking in Elastic Security

Adversaries may inject malicious code into processes via VDSO hijacking in order to evade process-based defenses as well as possibly elevate privileges. Virtual dynamic shared object (vdso) hijacking is a method of executing arbitrary code in the address space of a separate live process. VDSO hijacking involves redirecting calls to dynamically linked shared libraries. Memory protections may prevent writing executable code to a process via Ptrace System Calls. However, an adversary may hijack the syscall interface code stubs mapped into a process from the vdso shared object to execute syscalls to open and map a malicious shared object. This code can then be invoked by redirecting the execution flow of the process via patched memory address references stored in a process' global offset table (which store absolute addresses of mapped library functions).

MITRE ATT&CK

Tactic
Defense Evasion Privilege Escalation
Technique
T1055 Process Injection
Sub-technique
T1055.014 VDSO Hijacking
Canonical reference
https://attack.mitre.org/techniques/T1055/014/

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by host.id, process.pid with maxspan=30s
  [process where event.type == "start" and
   process.name != null and
   process.name not in ("gdb", "strace", "ltrace", "valgrind", "java", "node", "dockerd", "containerd") and
   host.os.type == "linux"]
  [process where event.action == "exec" and
   process.args : ("ptrace", "mprotect", "mmap") and
   host.os.type == "linux"]

OR

any where host.os.type == "linux" and
  event.dataset == "auditd" and
  auditd.data.syscall in ("ptrace", "mprotect", "mmap") and
  (
    (auditd.data.syscall == "ptrace" and auditd.data.a0 in ("1", "2", "4", "5")) or
    (auditd.data.syscall in ("mprotect", "mmap") and auditd.data.a2 : ("5", "7", "0x5", "0x7"))
  ) and
  not process.executable : ("/usr/bin/gdb", "/usr/bin/strace", "/usr/bin/ltrace", "/usr/bin/valgrind", "/usr/bin/java", "*/dockerd", "*/containerd")
high severity medium confidence

Detects VDSO hijacking indicators on Linux endpoints by monitoring auditd events for suspicious ptrace PEEK/POKE operations and mprotect/mmap calls with executable flags that may indicate an adversary is patching the virtual dynamic shared object memory region or global offset table to redirect execution flow.

Data Sources

Linux auditdElastic Agent auditd integrationFilebeat auditd module

Required Tables

logs-auditd*auditbeat-*.ds-logs-auditd*

False Positives & Tuning

  • Legitimate debuggers (gdb, lldb) performing process inspection will trigger ptrace PEEK/POKE events during normal debugging sessions
  • JIT compilation runtimes such as Java HotSpot, Node.js V8, and .NET CLR use mprotect with PROT_EXEC to make JIT-compiled memory regions executable
  • Dynamic linker (ld-linux) and libc use mmap and mprotect with executable flags when loading shared libraries during application startup
Download portable Sigma rule (.yml)

Other platforms for T1055.014

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Inspect VDSO Memory Region

    Expected signal: auditd: open() on /proc/<pid>/maps. The VDSO mapping shows the address range of the vdso in the target process.

  2. Test 2Check GOT Entries of Running Process

    Expected signal: auditd: readlink and open on /proc/<pid>/exe, execution of readelf. No direct security events from GOT inspection — this is a defensive analysis technique.

  3. Test 3mprotect Executable Permission Change Detection

    Expected signal: Syslog: python3 process execution. No actual mprotect call with PROT_EXEC in this safe test. In a real attack: auditd SYSCALL record with syscall=10 (mprotect) and a2 containing PROT_EXEC flag.

Last updated: 2026-04-18 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1055.014 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1055Process Injection

Related Sub-techniques

T1055.001Dynamic-link Library InjectionT1055.002Portable Executable InjectionT1055.003Thread Execution HijackingT1055.004Asynchronous Procedure CallT1055.005Thread Local StorageT1055.008Ptrace System CallsT1055.009Proc MemoryT1055.011Extra Window Memory InjectionT1055.012Process HollowingT1055.013Process DoppelgangingT1055.015ListPlanting

Related Techniques

T1055Process InjectionT1055.008Ptrace System CallsT1055.009Proc MemoryT1574.006Dynamic Linker HijackingT1014Rootkit

Same Tactic: Defense Evasion

Popular Detections