Detect VDSO Hijacking in Microsoft Sentinel
Adversaries may inject malicious code into processes via VDSO hijacking in order to evade process-based defenses as well as possibly elevate privileges. Virtual dynamic shared object (vdso) hijacking is a method of executing arbitrary code in the address space of a separate live process. VDSO hijacking involves redirecting calls to dynamically linked shared libraries. Memory protections may prevent writing executable code to a process via Ptrace System Calls. However, an adversary may hijack the syscall interface code stubs mapped into a process from the vdso shared object to execute syscalls to open and map a malicious shared object. This code can then be invoked by redirecting the execution flow of the process via patched memory address references stored in a process' global offset table (which store absolute addresses of mapped library functions).
MITRE ATT&CK
- Technique
- T1055 Process Injection
- Sub-technique
- T1055.014 VDSO Hijacking
- Canonical reference
- https://attack.mitre.org/techniques/T1055/014/
KQL Detection Query
// Detect VDSO hijacking indicators on Linux endpoints
// Monitor for suspicious access to [vdso] memory regions and GOT modifications
Syslog
| where TimeGenerated > ago(24h)
| where SyslogMessage has_any ("vdso", "linux-gate", "linux-vdso")
| where SyslogMessage has_any ("ptrace", "inject", "mmap", "mprotect")
| where SyslogMessage !has "gdb" and SyslogMessage !has "strace"
| project TimeGenerated, Computer, SyslogMessage, Facility, SeverityLevel
| sort by TimeGenerated desc
| union (
Syslog
| where TimeGenerated > ago(24h)
| where SyslogMessage has "mprotect" and SyslogMessage has "PROT_EXEC"
| where SyslogMessage !has "ld-linux" and SyslogMessage !has "libc"
| project TimeGenerated, Computer, SyslogMessage, Facility, SeverityLevel
)
| sort by TimeGenerated descDetects VDSO hijacking indicators by monitoring for access to vdso memory regions and suspicious mprotect calls that change memory protection to executable. VDSO hijacking involves patching the vdso syscall stubs and modifying the Global Offset Table (GOT) to redirect function calls. Also detects mprotect calls adding PROT_EXEC to non-standard memory regions, which is needed to make injected code executable.
Data Sources
Required Tables
False Positives & Tuning
- Dynamic linker (ld-linux.so) performing legitimate GOT updates during shared library loading
- Security tools performing ELF binary analysis and memory inspection
- JIT compilers (Java, V8/Node.js) using mprotect to make JIT-compiled code executable
- Debug tools inspecting vdso memory for debugging purposes
Other platforms for T1055.014
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Inspect VDSO Memory Region
Expected signal: auditd: open() on /proc/<pid>/maps. The VDSO mapping shows the address range of the vdso in the target process.
- Test 2Check GOT Entries of Running Process
Expected signal: auditd: readlink and open on /proc/<pid>/exe, execution of readelf. No direct security events from GOT inspection — this is a defensive analysis technique.
- Test 3mprotect Executable Permission Change Detection
Expected signal: Syslog: python3 process execution. No actual mprotect call with PROT_EXEC in this safe test. In a real attack: auditd SYSCALL record with syscall=10 (mprotect) and a2 containing PROT_EXEC flag.
References (5)
- https://attack.mitre.org/techniques/T1055/014/
- https://web.archive.org/web/20210205211142/https://backtrace.io/blog/backtrace/elf-shared-library-injection-forensics/
- https://web.archive.org/web/20150711051625/http://vxer.org/lib/vrn00.html
- https://lwn.net/Articles/604515/
- https://web.archive.org/web/20051013084246/http://www.trilithium.com/johan/2005/08/linux-gate/
Unlock Pro Content
Get the full detection package for T1055.014 including response playbook, investigation guide, and atomic red team tests.