T1055.014 Sumo Logic CSE · Sumo

Detect VDSO Hijacking in Sumo Logic CSE

Adversaries may inject malicious code into processes via VDSO hijacking in order to evade process-based defenses as well as possibly elevate privileges. Virtual dynamic shared object (vdso) hijacking is a method of executing arbitrary code in the address space of a separate live process. VDSO hijacking involves redirecting calls to dynamically linked shared libraries. Memory protections may prevent writing executable code to a process via Ptrace System Calls. However, an adversary may hijack the syscall interface code stubs mapped into a process from the vdso shared object to execute syscalls to open and map a malicious shared object. This code can then be invoked by redirecting the execution flow of the process via patched memory address references stored in a process' global offset table (which store absolute addresses of mapped library functions).

MITRE ATT&CK

Tactic
Defense Evasion Privilege Escalation
Technique
T1055 Process Injection
Sub-technique
T1055.014 VDSO Hijacking
Canonical reference
https://attack.mitre.org/techniques/T1055/014/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=*linux* OR _sourceCategory=*auditd*
| parse regex "type=SYSCALL.*?syscall=(?P<syscall_num>\d+)" nodrop
| parse regex "exe=\"(?P<exe_path>[^\"]+)\"" nodrop
| parse regex "\bpid=(?P<pid>\d+)" nodrop
| parse regex "\bauid=(?P<auid>\d+)" nodrop
| parse regex "\buid=(?P<uid>\d+)" nodrop
| parse regex "\ba0=(?P<a0>[0-9a-fx]+)" nodrop
| parse regex "\ba2=(?P<a2>[0-9a-fx]+)" nodrop
| where syscall_num in ("9", "10", "101")
| eval syscall_name = if(syscall_num == "101", "ptrace",
    if(syscall_num == "10", "mprotect",
    if(syscall_num == "9", "mmap", syscall_num)))
| eval exe_name = replace(exe_path, ".*/(.*)", "\1")
| where !(exe_name in ("gdb", "strace", "ltrace", "valgrind", "java", "node", "dockerd", "containerd"))
| where !(exe_path matches "*ld-linux*") and !(exe_path matches "*libc*")
| eval vdso_indicator = if(syscall_name == "ptrace" and a0 in ("1", "2", "4", "5"),
    "HIGH - ptrace PEEK/POKE (VDSO patching risk)",
    if((syscall_name == "mprotect" or syscall_name == "mmap") and (a2 matches "*5*" or a2 matches "*7*"),
    "MEDIUM - executable flag set on memory region",
    "LOW"))
| where vdso_indicator != "LOW"
| fields _messageTime, _sourceHost, auid, uid, exe_path, pid, syscall_name, a0, a2, vdso_indicator
| sort by _messageTime desc
high severity medium confidence

Detects VDSO hijacking attempts on Linux systems by parsing auditd syscall logs for ptrace with PEEK/POKE request types and mprotect/mmap calls with executable permission flags, which are the key primitives used to read/write the vdso memory region and redirect execution via global offset table patching.

Data Sources

Linux auditd via Sumo Logic Installed CollectorSyslog collector for Linux audit logs

Required Tables

_sourceCategory=*auditd*_sourceCategory=*linux*

False Positives & Tuning

  • Performance profiling tools such as perf, SystemTap, and DTrace use ptrace internally and will generate high-severity alerts that are benign in development and performance testing contexts
  • Container orchestration platforms (Kubernetes, Docker) frequently execute mprotect and mmap with executable flags when starting new containers or loading container runtime components
  • Interpreted language runtimes (Python with ctypes/cffi, Ruby with fiddle, Perl with Inline::C) use mmap with executable flags when calling into native shared libraries
Download portable Sigma rule (.yml)

Other platforms for T1055.014

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Inspect VDSO Memory Region

    Expected signal: auditd: open() on /proc/<pid>/maps. The VDSO mapping shows the address range of the vdso in the target process.

  2. Test 2Check GOT Entries of Running Process

    Expected signal: auditd: readlink and open on /proc/<pid>/exe, execution of readelf. No direct security events from GOT inspection — this is a defensive analysis technique.

  3. Test 3mprotect Executable Permission Change Detection

    Expected signal: Syslog: python3 process execution. No actual mprotect call with PROT_EXEC in this safe test. In a real attack: auditd SYSCALL record with syscall=10 (mprotect) and a2 containing PROT_EXEC flag.

Last updated: 2026-04-18 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1055.014 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1055Process Injection

Related Sub-techniques

T1055.001Dynamic-link Library InjectionT1055.002Portable Executable InjectionT1055.003Thread Execution HijackingT1055.004Asynchronous Procedure CallT1055.005Thread Local StorageT1055.008Ptrace System CallsT1055.009Proc MemoryT1055.011Extra Window Memory InjectionT1055.012Process HollowingT1055.013Process DoppelgangingT1055.015ListPlanting

Related Techniques

T1055Process InjectionT1055.008Ptrace System CallsT1055.009Proc MemoryT1574.006Dynamic Linker HijackingT1014Rootkit

Same Tactic: Defense Evasion

Popular Detections