T1055.014 VDSO Hijacking
Adversaries may inject malicious code into processes via VDSO hijacking in order to evade process-based defenses as well as possibly elevate privileges. Virtual dynamic shared object (vdso) hijacking is a method of executing arbitrary code in the address space of a separate live process.
VDSO hijacking involves redirecting calls to dynamically linked shared libraries. Memory protections may prevent writing executable code to a process via Ptrace System Calls. However, an adversary may hijack the syscall interface code stubs mapped into a process from the vdso shared object to execute syscalls to open and map a malicious shared object. This code can then be invoked by redirecting the execution flow of the process via patched memory address references stored in a process’ global offset table (which store absolute addresses of mapped library functions).6172
Running code in the context of another process may allow access to the process’s memory, system/network resources, and possibly elevated privileges. Execution via VDSO hijacking may also evade detection from security products since the execution is masked under a legitimate process.
Item | Value |
---|---|
ID | T1055.014 |
Sub-techniques | T1055.001, T1055.002, T1055.003, T1055.004, T1055.005, T1055.008, T1055.009, T1055.011, T1055.012, T1055.013, T1055.014, T1055.015 |
Tactics | TA0005, TA0004 |
Platforms | Linux |
Version | 1.1 |
Created | 14 January 2020 |
Last Modified | 07 July 2022 |
Mitigations
ID | Mitigation | Description |
---|---|---|
M1040 | Behavior Prevention on Endpoint | Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. |
Detection
ID | Data Source | Data Component |
---|---|---|
DS0011 | Module | Module Load |
DS0009 | Process | OS API Execution |
References
-
backtrace. (2016, April 22). ELF SHARED LIBRARY INJECTION FORENSICS. Retrieved June 15, 2020. ↩
-
Drysdale, D. (2014, July 16). Anatomy of a system call, part 2. Retrieved June 16, 2020. ↩
-
GNU. (2010, February 5). The GNU Accounting Utilities. Retrieved December 20, 2017. ↩
-
Jahoda, M. et al.. (2017, March 14). redhat Security Guide - Chapter 7 - System Auditing. Retrieved December 20, 2017. ↩
-
Ligh, M.H. et al.. (2014, July). The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory. Retrieved December 20, 2017. ↩
-
O’Neill, R. (2009, May). Modern Day ELF Runtime infection via GOT poisoning. Retrieved March 15, 2020. ↩
-
Petersson, J. (2005, August 14). What is linux-gate.so.1?. Retrieved June 16, 2020. ↩
-
stderr. (2014, February 14). Detecting Userland Preload Rootkits. Retrieved December 20, 2017. ↩