T1055.014 CrowdStrike LogScale · LogScale

Detect VDSO Hijacking in CrowdStrike LogScale

Adversaries may inject malicious code into processes via VDSO hijacking in order to evade process-based defenses as well as possibly elevate privileges. Virtual dynamic shared object (vdso) hijacking is a method of executing arbitrary code in the address space of a separate live process. VDSO hijacking involves redirecting calls to dynamically linked shared libraries. Memory protections may prevent writing executable code to a process via Ptrace System Calls. However, an adversary may hijack the syscall interface code stubs mapped into a process from the vdso shared object to execute syscalls to open and map a malicious shared object. This code can then be invoked by redirecting the execution flow of the process via patched memory address references stored in a process' global offset table (which store absolute addresses of mapped library functions).

MITRE ATT&CK

Tactic
Defense Evasion Privilege Escalation
Technique
T1055 Process Injection
Sub-technique
T1055.014 VDSO Hijacking
Canonical reference
https://attack.mitre.org/techniques/T1055/014/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
// VDSO Hijacking Detection — T1055.014
// Detect ptrace PEEK/POKE and executable mprotect/mmap on Linux

#event_simpleName=SyntheticProcessRollup2 OR #event_simpleName=ProcessRollup2
| FileName != "gdb" AND FileName != "strace" AND FileName != "ltrace" AND FileName != "valgrind" AND FileName != "java" AND FileName != "node" AND FileName != "dockerd" AND FileName != "containerd"
| ImageFileName !~ regex("ld-linux|libc")
| join(
    [#event_simpleName=SyscallAudit
    | SyscallName in ("ptrace", "mprotect", "mmap")
    | eval VDSOIndicator = case(
        SyscallName == "ptrace" AND Arg0 in ("1", "2", "4", "5"), "HIGH - ptrace PEEK/POKE targeting VDSO",
        SyscallName == "mprotect" AND Arg2 in ("5", "7", "0x5", "0x7"), "MEDIUM - mprotect EXEC flag (VDSO write)",
        SyscallName == "mmap" AND Arg2 in ("5", "7", "0x5", "0x7"), "MEDIUM - mmap EXEC flag",
        true(), "LOW"
      )
    | VDSOIndicator != "LOW"
    ],
    field=TargetProcessId,
    include=[SyscallName, Arg0, Arg2, VDSOIndicator]
  )
| groupBy([ComputerName, FileName, ImageFileName, TargetProcessId, SyscallName, Arg0, Arg2, VDSOIndicator], function=[count(as=EventCount), min(timestamp, as=FirstSeen), max(timestamp, as=LastSeen)])
| sort(LastSeen, order=desc)
high severity medium confidence

Detects VDSO hijacking activity on Linux endpoints by correlating CrowdStrike Falcon SyscallAudit events for ptrace PEEK/POKE operations (used to read/write vdso memory) and mprotect/mmap calls with executable permission flags (used to make patched memory executable), joining against process context and filtering known legitimate debugger binaries.

Data Sources

CrowdStrike Falcon sensor on Linux (kernel 3.10+)CrowdStrike Falcon SyscallAudit events

Required Tables

SyscallAuditProcessRollup2SyntheticProcessRollup2

False Positives & Tuning

  • Automated test frameworks that use ptrace for code coverage instrumentation (gcov, kcov, Intel PIN) will produce HIGH-severity hits during CI/CD pipeline execution on Linux build agents
  • Memory-safe language runtimes with garbage collectors (Go, Rust with jemalloc, D) occasionally use mprotect to change memory region permissions during GC cycles, generating medium-severity hits
  • Sandboxing frameworks such as Firejail, bubblewrap, and seccomp-based sandbox escape detection tools may inspect vdso mappings and perform ptrace operations as part of their own security monitoring
Download portable Sigma rule (.yml)

Other platforms for T1055.014

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Inspect VDSO Memory Region

    Expected signal: auditd: open() on /proc/<pid>/maps. The VDSO mapping shows the address range of the vdso in the target process.

  2. Test 2Check GOT Entries of Running Process

    Expected signal: auditd: readlink and open on /proc/<pid>/exe, execution of readelf. No direct security events from GOT inspection — this is a defensive analysis technique.

  3. Test 3mprotect Executable Permission Change Detection

    Expected signal: Syslog: python3 process execution. No actual mprotect call with PROT_EXEC in this safe test. In a real attack: auditd SYSCALL record with syscall=10 (mprotect) and a2 containing PROT_EXEC flag.

Last updated: 2026-04-18 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1055.014 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1055Process Injection

Related Sub-techniques

T1055.001Dynamic-link Library InjectionT1055.002Portable Executable InjectionT1055.003Thread Execution HijackingT1055.004Asynchronous Procedure CallT1055.005Thread Local StorageT1055.008Ptrace System CallsT1055.009Proc MemoryT1055.011Extra Window Memory InjectionT1055.012Process HollowingT1055.013Process DoppelgangingT1055.015ListPlanting

Related Techniques

T1055Process InjectionT1055.008Ptrace System CallsT1055.009Proc MemoryT1574.006Dynamic Linker HijackingT1014Rootkit

Same Tactic: Defense Evasion

Popular Detections