Hijack Execution Flow: Dynamic Linker Hijacking T1574.006
Tactics: Stealth, Execution
Adversaries may execute their own malicious payloads by hijacking environment variables the dynamic linker uses to load shared libraries. During the execution preparation phase of a program, the dynamic linker loads specified absolute paths of shared libraries from various environment variables and files, such as LD_PRELOAD on Linux or DYLD_INSERT_LIBRARIES on macOS. Libraries specified in environment variables are loaded first, taking precedence over system libraries with the same function name. Each platform's linker uses an extensive list of environment variables at different points in execution. These variables are often used by developers to debug binaries without needing to recompile, deconflict mapped symbols, and implement custom functions in the original library.
Events covered
3 catalog events are tagged with this technique by at least one rule.
| Provider | Event | Title |
|---|---|---|
| Sysmon | Event ID 11 | FileCreate |
| ESF | exec | Process Execution (Notify) |
| Linux-Auditd | Event ID 1302 | PATH |
Authoring guide
Patterns shared across the 24 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.
Fields filtered most (24 distinct)
The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.
Top indicator values (383 distinct)
Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.
Exclusions (225 distinct)
Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.
Rules under this technique
Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.
Sigma 2 rules
Elastic 17 rules
- Dylib Injection via Process Environment Variables
- Dynamic Linker (ld.so) Creation
- Dynamic Linker Copy
- Dynamic Linker Creation
- Dynamic Linker Modification Detected via Defend for Containers
- Modification of Dynamic Linker Preload Shared Object
- Modification of Environment Variable via Unsigned or Untrusted Parent
- Pod or Container Creation with Suspicious Command-Line
- Potential CVE-2025-32463 Nsswitch File Creation
- Potential Persistence via File Modification
- Potential Privilege Escalation via PKEXEC
- Potential Suspicious File Edit
- Shared Object Created by Previously Unknown Process
- Suspicious Dynamic Linker Discovery via od
- Suspicious Echo or Printf Execution Detected via Defend for Containers
- Unusual LD_PRELOAD/LD_LIBRARY_PATH Command Line Arguments
- Unusual Preload Environment Variable Process Execution