Adversaries may execute their own malicious payloads by hijacking the dynamic linker used to load libraries. The dynamic linker is used to load shared library dependencies needed by an executing program. The dynamic linker will typically check provided absolute paths and common directories for these dependencies, but can be overridden by shared objects specified by LD_PRELOAD to be loaded before all others.(Citation: Man LD.SO)(Citation: TLDP Shared Libraries)Adversaries may set LD_PRELOAD to point to malicious libraries that match the name of legitimate libraries which are requested by a victim program, causing the operating system to load the adversary's malicious code upon execution of the victim program. LD_PRELOAD can be set via the environment variable or
/etc/ld.so.preloadfile.(Citation: Man LD.SO)(Citation: TLDP Shared Libraries) Libraries specified by LD_PRELOAD with be loaded and mapped into memory bydlopen()andmmap()respectively.(Citation: Code Injection on Linux and macOS) (Citation: Uninformed Needle) (Citation: Phrack halfdead 1997)LD_PRELOAD hijacking may grant access to the victim process's memory, system/network resources, and possibly elevated privileges. Execution via LD_PRELOAD hijacking may also evade detection from security products since the execution is masked under a legitimate process.
This test adds a shared library to the ld.so.preload list to execute and intercept API calls. This technique was used by threat actor Rocke during the exploitation of Linux web servers. This requires the glibc package.
Upon successful execution, bash will echo ../bin/T1574.006.so to /etc/ld.so.preload.
Supported Platforms: Linux
| Name | Description | Type | Default Value |
|---|---|---|---|
| path_to_shared_library_source | Path to a shared library source code | Path | PathToAtomicsFolder/T1574.006/src/Linux/T1574.006.c |
| path_to_shared_library | Path to a shared library object | Path | /tmp/T1574006.so |
sudo sh -c 'echo #{path_to_shared_library} > /etc/ld.so.preload'sudo sed -i '\~#{path_to_shared_library}~d' /etc/ld.so.preloadDescription: The shared library must exist on disk at specified location (#{path_to_shared_library})
if [ -f #{path_to_shared_library ]; then exit 0; else exit 1; fi; gcc -shared -fPIC -o #{path_to_shared_library} #{path_to_shared_library_source}This test injects a shared object library via the LD_PRELOAD environment variable to execute. This technique was used by threat actor Rocke during the exploitation of Linux web servers. This requires the glibc package.
Upon successful execution, bash will utilize LD_PRELOAD to load the shared object library /etc/ld.so.preload. Output will be via stdout.
Supported Platforms: Linux
| Name | Description | Type | Default Value |
|---|---|---|---|
| path_to_shared_library_source | Path to a shared library source code | Path | PathToAtomicsFolder/T1574.006/src/Linux/T1574.006.c |
| path_to_shared_library | Path to a shared library object | Path | /tmp/T1574006.so |
LD_PRELOAD=#{path_to_shared_library} lsDescription: The shared library must exist on disk at specified location (#{path_to_shared_library})
if [ -f #{path_to_shared_library} ]; then exit 0; else exit 1; fi; gcc -shared -fPIC -o #{path_to_shared_library} #{path_to_shared_library_source}