3/23/2023 0 Comments Osquery monitor java processSince some monitoring and security software uses LD_PRELOAD for benign purposes, you will have to create a baseline of known processes in your environment using LD_PRELOAD.Ī few benign examples we have encountered using LD_PRELOAD include the following.įrom an attacker’s perspective, as TrustedSec mentions in their blog, there are some inconveniences on using LD_PRELOAD - mainly that you need to restart the process that you want to inject code into in order for it to work. SELECT process_envs.pid as source_process_id, process_envs.key as environment_variable_key, process_envs.value as environment_variable_value, processes.name as source_process, processes.path as file_path, processes.cmdline as source_process_commandline, processes.cwd as current_working_directory, 'T1055' as event_attack_id, 'Process Injection' as event_attack_technique, 'Defense Evasion, Privilege Escalation' as event_attack_tactic FROM process_envs join processes USING (pid) WHERE key = 'LD_PRELOAD' We can also get more verbose information by setting the LD_DEBUG environment variable.Ī simple way to hunt for malicious LD_PRELOAD usage with Osquery is by querying the process_envs table and looking for processes with the LD_PRELOAD environment variable set. We can see our sample-library being loaded now. Now, let’s set the LD_PRELOAD environment variable to load our library by executing.Įxport LD_PRELOAD=/home/ubuntu/linux-inject/sample-library.so ldd /home/ubuntu/linux-inject/sample-target We can see how this is defined in the sample-target ELF file by using readelf. Libc.so.6 is one of the dynamic libraries that the sample-target requires to run, and ld-linux.so.2 is in charge of finding and loading the shared libraries. Depending on the architecture, it can have other names. Linux-vdso.so.1, is a virtual dynamic shared object that the kernel automatically maps into the address space in every process. If we execute the sample-target binary with ldd we can see that information. We can utilize the ldd tool to inspect the shared libraries that are loaded into a process. Let’s use sample-target as the target process and sample-library as the shared library we will be injecting. This environmental variable can be configured with a path to the shared library to be loaded before any other shared object.įor most of the blog, we will be using the examples available in GitHub, listed here. LD_PRELOAD is the easiest and most popular way to load a shared library in a process at startup. In this blog post, we are going to review some of those techniques and focus on how we can hunt for them using Osquery. ![]() ![]() I recently came across a great blog from TrustedSec that describes a few techniques and tools that can be used to do library injection in Linux. When it comes to Linux, this is less commonly seen in the wild. When analyzing malware and adversary activity in Windows environments, DLL injection techniques are commonly used, and there are plenty of resources on how to detect these activities.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |