title: Dynamic Linker Hijacking (T1574.006)
id: df00tech-t1574-006
status: experimental
description: "Adversaries hijack dynamic linker environment variables to load malicious shared libraries before legitimate system libraries. On Linux, the LD_PRELOAD environment variable causes the dynamic linker to load specified shared objects before all others, allowing function hooking. Attackers may also modify /etc/ld.so.preload to achieve system-wide persistence. On macOS, DYLD_INSERT_LIBRARIES provides equivalent functionality. Groups including APT41, Aquatic Panda, Rocke (cryptomining), and HiddenWasp/Symbiote have used LD_PRELOAD for persistence and rootkit-like behavior — hooking libc functions (execve, readdir) to hide processes and files. The Ebury SSH backdoor and COATHANGER (FortiGate backdoor) used this technique against production infrastructure."
references:
  - https://attack.mitre.org/techniques/T1574/006/
  - https://df00tech.com/detections/T1574.006
author: df00tech
date: 2026/03/11
tags:
  - attack.t1574.006
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Memory leak detection tools like Valgrind and AddressSanitizer that use LD_PRELOAD for instrumentation
  - "Performance profiling tools (perf, gprof wrappers) that inject profiling libraries via LD_PRELOAD"
  - Java and JVM-based applications that may set LD_LIBRARY_PATH to find JNI libraries
  - "Legitimate security tools that use LD_PRELOAD for system call interception (e.g., some EDR agents)"
level: high