Detects the redirection of syscall execution flow via modification of VDSO code stubs or GOT entries to load and execute a malicious shared object through mmap and ptrace.
| Data Component | Name | Channel |
|---|---|---|
| OS API Execution (DC0021) | auditd:SYSCALL | ptrace, mmap, mprotect, open, dlopen |
| Process Modification (DC0020) | auditd:memprotect | change from PROT_READ|PROT_WRITE to PROT_EXEC |
| Module Load (DC0016) | auditd:file-events | open of suspicious .so from non-standard paths |
| Process Creation (DC0032) | linux:osquery | child process invoking dynamic linker post-ptrace |
| Field | Description |
|---|---|
| SuspiciousSharedObjectPathRegex | Regex to filter dynamic library paths outside of `/lib`, `/usr/lib`, etc. (e.g., `/tmp`, `/dev/shm`) |
| TimeWindow_PtraceToMmap | Max delay allowed between ptrace attach and mmap/mprotect execution in target process |
| ExecMemoryProtectionThreshold | Flag when executable memory mappings deviate from normal runtime behavior |
| AnomalousParentProcessList | Parent processes unlikely to legitimately call ptrace (e.g., nginx, apache2, sshd) |