T1574.006 Splunk · SPL

Detect Dynamic Linker Hijacking in Splunk

Adversaries hijack dynamic linker environment variables to load malicious shared libraries before legitimate system libraries. On Linux, the LD_PRELOAD environment variable causes the dynamic linker to load specified shared objects before all others, allowing function hooking. Attackers may also modify /etc/ld.so.preload to achieve system-wide persistence. On macOS, DYLD_INSERT_LIBRARIES provides equivalent functionality. Groups including APT41, Aquatic Panda, Rocke (cryptomining), and HiddenWasp/Symbiote have used LD_PRELOAD for persistence and rootkit-like behavior — hooking libc functions (execve, readdir) to hide processes and files. The Ebury SSH backdoor and COATHANGER (FortiGate backdoor) used this technique against production infrastructure.

MITRE ATT&CK

Tactic
Persistence Privilege Escalation Defense Evasion
Technique
T1574 Hijack Execution Flow
Sub-technique
T1574.006 Dynamic Linker Hijacking
Canonical reference
https://attack.mitre.org/techniques/T1574/006/

SPL Detection Query

Splunk (SPL)
spl 
index=linux_logs OR index=syslog sourcetype="linux_secure" OR sourcetype=syslog
| eval CommandLine=coalesce(command, cmd, message)
| eval LDPreload=if(match(CommandLine, "LD_PRELOAD"), 1, 0)
| eval DYLDInsert=if(match(CommandLine, "DYLD_INSERT_LIBRARIES"), 1, 0)
| eval LDLibPath=if(match(CommandLine, "LD_LIBRARY_PATH"), 1, 0)
| where LDPreload=1 OR DYLDInsert=1 OR LDLibPath=1
| table _time, host, user, CommandLine, LDPreload, DYLDInsert, LDLibPath
| sort - _time

```
ALSO check /etc/ld.so.preload modifications:
```
index=linux_auditd sourcetype=linux:audit type=SYSCALL (syscall=open OR syscall=openat OR syscall=write)
| where match(msg_audit, "ld.so.preload")
| table _time, host, auid, uid, exe, msg_audit
| sort - _time
high severity high confidence

Detects LD_PRELOAD and DYLD_INSERT_LIBRARIES usage in Linux/macOS process command lines via syslog and auditd. The second subquery specifically monitors auditd syscall events for access to /etc/ld.so.preload — the system-wide preload file that causes every process to load the specified library. This file should almost never be modified in production systems.

Data Sources

Process: Process CreationFile: File ModificationLinux auditdsyslog

Required Sourcetypes

linux_securelinux:audit

False Positives & Tuning

  • Developer workstations using Valgrind, AddressSanitizer, or similar instrumentation tools
  • Performance analysis workflows using profiling libraries injected via LD_PRELOAD
  • CI/CD pipelines that use LD_PRELOAD for test instrumentation
  • Some container runtimes and orchestration systems that set library paths
Download portable Sigma rule (.yml)

Other platforms for T1574.006

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Inspect /etc/ld.so.preload Contents

    Expected signal: Auditd syscall events for open/read of /etc/ld.so.preload (if auditd is monitoring this path). Process creation events for ls and cat commands.

  2. Test 2Create Malicious LD_PRELOAD Library (Benign Test)

    Expected signal: Process creation events for gcc and ls. The ls process will have LD_PRELOAD=/tmp/test_preload.so in its environment (visible in /proc/<pid>/environ). Auditd may log the library load. File creation event for test_preload.so in /tmp.

  3. Test 3Modify /etc/ld.so.preload for System-Wide Persistence (Test Only)

    Expected signal: Auditd SYSCALL records for open+write on /etc/ld.so.preload with privileged account (sudo). File modification event captured by endpoint telemetry. The modification timestamp on /etc/ld.so.preload changes — forensically detectable.

Last updated: 2026-03-11 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1574.006 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1574Hijack Execution Flow

Related Sub-techniques

T1574.001DLLT1574.004Dylib HijackingT1574.005Executable Installer File Permissions WeaknessT1574.007Path Interception by PATH Environment VariableT1574.008Path Interception by Search Order HijackingT1574.009Path Interception by Unquoted PathT1574.010Services File Permissions WeaknessT1574.011Services Registry Permissions WeaknessT1574.012COR_PROFILERT1574.013KernelCallbackTableT1574.014AppDomainManager

Related Techniques

T1574.004Dylib HijackingT1055Process InjectionT1564.001Hidden Files and DirectoriesT1070.002Clear Linux or Mac System LogsT1543Create or Modify System ProcessT1078Valid Accounts

Same Tactic: Persistence

Popular Detections