Skip to content

DET0435 Detection Strategy for Hijack Execution Flow: Dynamic Linker Hijacking

Item Value
ID DET0435
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1574.006 (Dynamic Linker Hijacking)

Analytics

Linux

AN1209

Detection focuses on identifying abuse of LD_PRELOAD and related linker variables. Defender perspective: monitor unexpected setting or modification of LD_PRELOAD in shell initialization scripts or environment exports, file creation of suspicious shared libraries, and correlation of these modifications with anomalous process execution. Key signals include execve events with LD_PRELOAD defined, newly created .so files in user directories, and processes hooking libc functions exhibiting abnormal behavior.

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:SYSCALL execve with LD_PRELOAD or linker-related environment variables set
File Creation (DC0039) auditd:PATH creation of .so files in non-standard directories (e.g., /tmp, /home/*)
Process Metadata (DC0034) linux:osquery process environment variables containing LD_PRELOAD
Mutable Elements
Field Description
WatchedEnvVars Environment variables like LD_PRELOAD, LD_LIBRARY_PATH. Defenders can tune based on development vs. production systems.
MonitoredDirectories Non-standard library paths (e.g., /tmp, user home dirs). May be tuned to reduce false positives from benign development activity.
CorrelationWindow Timeframe to correlate suspicious library creation with process execution that loads it.

macOS

AN1210

Detection centers on DYLD_INSERT_LIBRARIES and DYLD_LIBRARY_PATH abuse. Defender perspective: monitor for modification of these environment variables in shell or plist files, file creation of dylibs in user-controlled paths, and correlation of environment variable usage with unexpected module loads by user applications. Suspicious indicators include processes with DYLD_INSERT_LIBRARIES set, execution of applications loading untrusted dylibs, and anomalies in module load history.

Log Sources
Data Component Name Channel
Process Creation (DC0032) macos:unifiedlog execution of process with DYLD_INSERT_LIBRARIES set
File Modification (DC0061) macos:unifiedlog create/modify dylib in monitored directories
Module Load (DC0016) macos:unifiedlog loading of unexpected dylibs compared to historical baselines
Mutable Elements
Field Description
WatchedEnvVars macOS linker variables like DYLD_INSERT_LIBRARIES. Tunable to development environments where use may be expected.
BaselineDylibs Known dylibs typically loaded by apps. Deviations highlight potential hijacking.
MonitoredDirectories Locations where dylibs are monitored for tampering (e.g., /Applications, /System/Library, /tmp).