
Modification of Dynamic Linker Preload Shared Object Inside A Container
Elastic Detection Rules
View SourceSummary
This threat detection rule is designed to identify unauthorized modifications to the dynamic linker preload shared object file (ld.so.preload) within container environments. The dynamic linker is critical for loading necessary libraries at runtime, and adversaries often exploit modifications to ld.so.preload to redirect to malicious libraries, allowing them to gain unauthorized access to system resources and evade detection mechanisms. The rule utilizes Elastic's EQL (Event Query Language) to monitor logs, specifically looking for changes to the ld.so.preload file that are not deletions. Given that this behavior can indicate an attempt to hijack execution flow in a containerized environment, it is critical for security teams to act swiftly upon detection, validating the integrity of the file and the context of the modification, and employing measures to prevent misuse.
Categories
- Containers
- Cloud
- Linux
Data Sources
- Container
- File
ATT&CK Techniques
- T1574
- T1574.006
Created: 2023-06-06