DET0448 Detection Strategy for VDSO Hijacking on Linux

Item	Value
ID	DET0448
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1055.014 (VDSO Hijacking)

Analytics

Linux

AN1241

Detects the redirection of syscall execution flow via modification of VDSO code stubs or GOT entries to load and execute a malicious shared object through mmap and ptrace.

Log Sources

Data Component	Name	Channel
OS API Execution (DC0021)	auditd:SYSCALL	ptrace, mmap, mprotect, open, dlopen
Process Modification (DC0020)	auditd:memprotect	change from PROT_READ
Module Load (DC0016)	auditd:file-events	open of suspicious .so from non-standard paths
Process Creation (DC0032)	linux:osquery	child process invoking dynamic linker post-ptrace

Mutable Elements

Field	Description
SuspiciousSharedObjectPathRegex	Regex to filter dynamic library paths outside of `/lib`, `/usr/lib`, etc. (e.g., `/tmp`, `/dev/shm`)
TimeWindow_PtraceToMmap	Max delay allowed between ptrace attach and mmap/mprotect execution in target process
ExecMemoryProtectionThreshold	Flag when executable memory mappings deviate from normal runtime behavior
AnomalousParentProcessList	Parent processes unlikely to legitimately call ptrace (e.g., nginx, apache2, sshd)