Detect VDSO Hijacking in Splunk
Adversaries may inject malicious code into processes via VDSO hijacking in order to evade process-based defenses as well as possibly elevate privileges. Virtual dynamic shared object (vdso) hijacking is a method of executing arbitrary code in the address space of a separate live process. VDSO hijacking involves redirecting calls to dynamically linked shared libraries. Memory protections may prevent writing executable code to a process via Ptrace System Calls. However, an adversary may hijack the syscall interface code stubs mapped into a process from the vdso shared object to execute syscalls to open and map a malicious shared object. This code can then be invoked by redirecting the execution flow of the process via patched memory address references stored in a process' global offset table (which store absolute addresses of mapped library functions).
MITRE ATT&CK
- Technique
- T1055 Process Injection
- Sub-technique
- T1055.014 VDSO Hijacking
- Canonical reference
- https://attack.mitre.org/techniques/T1055/014/
SPL Detection Query
index=linux sourcetype="linux:audit" type=SYSCALL
| eval syscall_name=case(
syscall="101", "ptrace",
syscall="10", "mprotect",
syscall="9", "mmap",
syscall="232", "epoll_wait",
1=1, syscall
)
| where syscall_name IN ("ptrace", "mprotect", "mmap")
| eval exe_name=mvindex(split(exe, "/"), -1)
| search NOT exe_name IN ("gdb", "strace", "ltrace", "valgrind", "java", "node", "dockerd", "containerd")
| eval VDSOIndicator=case(
syscall_name="ptrace" AND (a0="1" OR a0="2" OR a0="4" OR a0="5"), "HIGH - ptrace PEEK/POKE (memory read/write for VDSO patching)",
syscall_name="mprotect" AND match(a2, "(5|7)"), "MEDIUM - mprotect with EXEC flag (making memory executable)",
syscall_name="mmap" AND match(a2, "(5|7)"), "MEDIUM - mmap with EXEC flag",
1=1, "LOW"
)
| where VDSOIndicator!="LOW"
| table _time, host, auid, uid, exe, pid, syscall_name, a0, a1, a2, VDSOIndicator
| sort - _timeDetects VDSO hijacking via Linux auditd by monitoring ptrace memory read/write operations and mprotect/mmap calls that add executable permissions. The VDSO hijacking technique requires: (1) ptrace attachment to read/patch the VDSO, (2) mmap to map a malicious shared object, and (3) GOT patching to redirect function calls. Filters out JIT compilers and debuggers that legitimately use these syscalls.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Dynamic linker performing legitimate GOT resolution
- JIT compilers making memory executable
- Security analysis tools inspecting ELF structures
- Container runtimes using ptrace and mmap for process management
Other platforms for T1055.014
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Inspect VDSO Memory Region
Expected signal: auditd: open() on /proc/<pid>/maps. The VDSO mapping shows the address range of the vdso in the target process.
- Test 2Check GOT Entries of Running Process
Expected signal: auditd: readlink and open on /proc/<pid>/exe, execution of readelf. No direct security events from GOT inspection — this is a defensive analysis technique.
- Test 3mprotect Executable Permission Change Detection
Expected signal: Syslog: python3 process execution. No actual mprotect call with PROT_EXEC in this safe test. In a real attack: auditd SYSCALL record with syscall=10 (mprotect) and a2 containing PROT_EXEC flag.
References (5)
- https://attack.mitre.org/techniques/T1055/014/
- https://web.archive.org/web/20210205211142/https://backtrace.io/blog/backtrace/elf-shared-library-injection-forensics/
- https://web.archive.org/web/20150711051625/http://vxer.org/lib/vrn00.html
- https://lwn.net/Articles/604515/
- https://web.archive.org/web/20051013084246/http://www.trilithium.com/johan/2005/08/linux-gate/
Unlock Pro Content
Get the full detection package for T1055.014 including response playbook, investigation guide, and atomic red team tests.