Hijack Execution Flow: LD_PRELOAD

Adversaries may execute their own malicious payloads by hijacking the dynamic linker used to load libraries. The dynamic linker is used to load shared library dependencies needed by an executing program. The dynamic linker will typically check provided absolute paths and common directories for these dependencies, but can be overridden by shared objects specified by LD_PRELOAD to be loaded before all others.[1][2]

Adversaries may set LD_PRELOAD to point to malicious libraries that match the name of legitimate libraries which are requested by a victim program, causing the operating system to load the adversary's malicious code upon execution of the victim program. LD_PRELOAD can be set via the environment variable or /etc/ld.so.preload file.[1][2] Libraries specified by LD_PRELOAD with be loaded and mapped into memory by dlopen() and mmap() respectively.[3] [4] [5]

LD_PRELOAD hijacking may grant access to the victim process's memory, system/network resources, and possibly elevated privileges. Execution via LD_PRELOAD hijacking may also evade detection from security products since the execution is masked under a legitimate process.

ID: T1574.006
Sub-technique of:  T1574
Tactics: Persistence, Privilege Escalation, Defense Evasion
Platforms: Linux
Data Sources: Environment variable, File monitoring, Process monitoring
Version: 1.0
Created: 13 March 2020
Last Modified: 15 June 2020

Procedure Examples

Name Description
HiddenWasp

HiddenWasp adds itself as a shared object to the LD_PRELOAD environment variable.[6]

Rocke

Rocke has modified /etc/ld.so.preload to hook libc functions in order to hide the installed dropper and mining software in process lists.[7]

Mitigations

Mitigation Description
Execution Prevention

Adversaries may use new payloads to execute this technique. Identify and block potentially malicious software executed through hijacking by using application control solutions also capable of blocking libraries loaded by legitimate software.

Detection

Monitor for changes to environment variables and files associated with loading shared libraries such as LD_PRELOAD, as well as the commands to implement these changes.

Monitor processes for unusual activity (e.g., a process that does not use the network begins to do so). Track library metadata, such as a hash, and compare libraries that are loaded at process execution time against previous executions to detect differences that do not correlate with patching or updates.

References