heroui logo

Shared Object Load via LoLBin

Elastic Detection Rules

View Source
Summary
Detects Linux processes that abuse LoLBins to load a shared object (.so) library into memory, an evasion technique often used to persist or execute via in-memory code. The rule fires on process start events where the process is not a typical loader and the command line or arguments indicate loading a shared object through dynamic linker mechanisms. It covers multiple invocation patterns across languages and tools that can dynamically load libraries: bash with -c invoking commands that reference -f*.so, openssl with -engine and a .so, python* with -c and cdll.LoadLibrary*.so, ruby* with -e and Fiddle.dlopen*.so, and various interactive or scripting tools (gdb, gimp, rview, rvim, view, vim, vimdiff) using cdll.LoadLibrary*.so. It also considers shell families (bash, dash, sh, tcsh, csh, zsh, ksh, fish) used with -c and combinations that trigger library loading, including cross-pattern checks like ruby-based or python-based Fiddle.dlopen usage. The rule explicitly excludes common legitimate parent processes and paths to reduce false positives (e.g., certain Python environments, make, process-wrapper, bwrap, and specific system/bazel or vendor directories). By focusing on in-memory/shared-object loading techniques, the rule aligns with defense-evasion and execution-use cases, mapping to MITRE techniques such as System Binary Proxy Execution (T1218), Hijack Execution Flow (T1574), and Command and Scripting Interpreter (T1059) with Unix Shell subtechniques, reinforcing detection of LoLBin-style abuse on Linux endpoints.
Categories
  • Endpoint
  • Linux
Data Sources
  • Process
ATT&CK Techniques
  • T1218
  • T1574
  • T1059
  • T1059.004
Created: 2026-07-02