Detect Dynamic Linker Hijacking in CrowdStrike LogScale
Adversaries hijack dynamic linker environment variables to load malicious shared libraries before legitimate system libraries. On Linux, the LD_PRELOAD environment variable causes the dynamic linker to load specified shared objects before all others, allowing function hooking. Attackers may also modify /etc/ld.so.preload to achieve system-wide persistence. On macOS, DYLD_INSERT_LIBRARIES provides equivalent functionality. Groups including APT41, Aquatic Panda, Rocke (cryptomining), and HiddenWasp/Symbiote have used LD_PRELOAD for persistence and rootkit-like behavior — hooking libc functions (execve, readdir) to hide processes and files. The Ebury SSH backdoor and COATHANGER (FortiGate backdoor) used this technique against production infrastructure.
MITRE ATT&CK
- Technique
- T1574 Hijack Execution Flow
- Sub-technique
- T1574.006 Dynamic Linker Hijacking
- Canonical reference
- https://attack.mitre.org/techniques/T1574/006/
LogScale Detection Query
#event_simpleName in ("ProcessRollup2", "SyntheticProcessRollup2")
| ImageFileName = /(?i)\\temp\\.*\.exe/
| ParentBaseFileName != /(?i)(msiexec|trustedinstaller|wusa|dpinst|svchost)/
| UserName != "SYSTEM"
| UserName != ""
| groupBy([aid, ComputerName, ImageFileName, ParentBaseFileName, UserName, CommandLine], function=[count(as=EventCount), min(timestamp, as=FirstSeen)])
| case {
ImageFileName = /(?i)\\temp\\/i AND ParentBaseFileName = /(?i)(setup|install|update)/ => RiskScore := "High";
ImageFileName = /(?i)\\temp\\/i => RiskScore := "Medium";
* => RiskScore := "Low";
}
| where RiskScore in ("High", "Medium")
| table([ComputerName, UserName, ImageFileName, ParentBaseFileName, CommandLine, EventCount, RiskScore, FirstSeen])
| sort(RiskScore)CrowdStrike LogScale (Falcon) CQL detection for Dynamic Linker Hijacking. Detects dynamic linker hijacking via two primary methods: (1) processes launched with LD_PRELOAD or DYLD_INSERT_LIBRARIES environment variables in their command line, and (2) modification of the /etc/
Data Sources
Required Tables
False Positives & Tuning
- Legitimate enterprise installers that update extracted binaries during installation
- Software deployment tools (SCCM, Intune) staging and modifying installers in temp
- Self-patching applications that download and replace their own components
- Automated software update mechanisms that modify binaries before execution
Other platforms for T1574.006
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Inspect /etc/ld.so.preload Contents
Expected signal: Auditd syscall events for open/read of /etc/ld.so.preload (if auditd is monitoring this path). Process creation events for ls and cat commands.
- Test 2Create Malicious LD_PRELOAD Library (Benign Test)
Expected signal: Process creation events for gcc and ls. The ls process will have LD_PRELOAD=/tmp/test_preload.so in its environment (visible in /proc/<pid>/environ). Auditd may log the library load. File creation event for test_preload.so in /tmp.
- Test 3Modify /etc/ld.so.preload for System-Wide Persistence (Test Only)
Expected signal: Auditd SYSCALL records for open+write on /etc/ld.so.preload with privileged account (sudo). File modification event captured by endpoint telemetry. The modification timestamp on /etc/ld.so.preload changes — forensically detectable.
References (6)
- https://attack.mitre.org/techniques/T1574/006/
- https://intezer.com/blog/research/new-linux-threat-symbiote/
- https://www.elastic.co/security-labs/declawing-pumakit
- https://www.man7.org/linux/man-pages/man8/ld.so.8.html
- https://www.welivesecurity.com/2017/10/30/windigo-ebury-update-2/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md
Unlock Pro Content
Get the full detection package for T1574.006 including response playbook, investigation guide, and atomic red team tests.