T1055.014 IBM QRadar · QRadar

Detect VDSO Hijacking in IBM QRadar

Adversaries may inject malicious code into processes via VDSO hijacking in order to evade process-based defenses as well as possibly elevate privileges. Virtual dynamic shared object (vdso) hijacking is a method of executing arbitrary code in the address space of a separate live process. VDSO hijacking involves redirecting calls to dynamically linked shared libraries. Memory protections may prevent writing executable code to a process via Ptrace System Calls. However, an adversary may hijack the syscall interface code stubs mapped into a process from the vdso shared object to execute syscalls to open and map a malicious shared object. This code can then be invoked by redirecting the execution flow of the process via patched memory address references stored in a process' global offset table (which store absolute addresses of mapped library functions).

MITRE ATT&CK

Tactic
Defense Evasion Privilege Escalation
Technique
T1055 Process Injection
Sub-technique
T1055.014 VDSO Hijacking
Canonical reference
https://attack.mitre.org/techniques/T1055/014/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  hostname,
  username,
  QIDNAME(qid) AS event_name,
  "payload",
  LOGSOURCENAME(logsourceid) AS log_source
FROM events
WHERE
  logsourcetypeid = 105
  AND LOGSOURCENAME(logsourceid) LIKE '%auditd%'
  AND devicetime > (NOW() - 86400000)
  AND (
    (
      payload ILIKE '%syscall%'
      AND (
        payload ILIKE '%ptrace%'
        OR payload ILIKE '%mprotect%'
        OR payload ILIKE '%mmap%'
      )
      AND (
        payload ILIKE '%vdso%'
        OR payload ILIKE '%linux-gate%'
        OR payload ILIKE '%linux-vdso%'
        OR payload ILIKE '%PROT_EXEC%'
        OR payload ILIKE '%0x5 %'
        OR payload ILIKE '%0x7 %'
      )
    )
    OR (
      payload ILIKE '%ptrace%'
      AND (
        payload ILIKE '% a0=1 %'
        OR payload ILIKE '% a0=2 %'
        OR payload ILIKE '% a0=4 %'
        OR payload ILIKE '% a0=5 %'
      )
    )
  )
  AND payload NOT ILIKE '%exe="/usr/bin/gdb"%'
  AND payload NOT ILIKE '%exe="/usr/bin/strace"%'
  AND payload NOT ILIKE '%exe="/usr/bin/ltrace"%'
  AND payload NOT ILIKE '%exe="/usr/bin/valgrind"%'
  AND payload NOT ILIKE '%exe="/usr/bin/java"%'
  AND payload NOT ILIKE '%ld-linux%'
  AND payload NOT ILIKE '%libc%'
ORDER BY devicetime DESC
LIMIT 1000
high severity medium confidence

Detects VDSO hijacking indicators by querying Linux auditd log sources in QRadar for suspicious ptrace PEEK/POKE syscalls targeting the vdso memory region and mprotect/mmap calls with executable permission flags, filtering out known legitimate debuggers and system libraries.

Data Sources

Linux auditd via QRadar DSMSyslog via QRadar Universal DSM

Required Tables

events

False Positives & Tuning

  • Security scanning tools and endpoint agents that perform memory inspection may generate ptrace events matching this pattern during regular scans
  • Containerized JVM-based applications frequently use mprotect with PROT_EXEC for JIT code regions; container runtime processes may appear suspicious without context
  • Custom application loaders and plugin frameworks that use dlopen/dlmopen at runtime can trigger mmap with executable flags when loading shared objects dynamically
Download portable Sigma rule (.yml)

Other platforms for T1055.014

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Inspect VDSO Memory Region

    Expected signal: auditd: open() on /proc/<pid>/maps. The VDSO mapping shows the address range of the vdso in the target process.

  2. Test 2Check GOT Entries of Running Process

    Expected signal: auditd: readlink and open on /proc/<pid>/exe, execution of readelf. No direct security events from GOT inspection — this is a defensive analysis technique.

  3. Test 3mprotect Executable Permission Change Detection

    Expected signal: Syslog: python3 process execution. No actual mprotect call with PROT_EXEC in this safe test. In a real attack: auditd SYSCALL record with syscall=10 (mprotect) and a2 containing PROT_EXEC flag.

Last updated: 2026-04-18 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1055.014 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1055Process Injection

Related Sub-techniques

T1055.001Dynamic-link Library InjectionT1055.002Portable Executable InjectionT1055.003Thread Execution HijackingT1055.004Asynchronous Procedure CallT1055.005Thread Local StorageT1055.008Ptrace System CallsT1055.009Proc MemoryT1055.011Extra Window Memory InjectionT1055.012Process HollowingT1055.013Process DoppelgangingT1055.015ListPlanting

Related Techniques

T1055Process InjectionT1055.008Ptrace System CallsT1055.009Proc MemoryT1574.006Dynamic Linker HijackingT1014Rootkit

Same Tactic: Defense Evasion

Popular Detections