T1055.014: VDSO Hijacking
Adversaries may inject malicious code into processes via VDSO hijacking in order to evade process-based defenses as well as possibly elevate privileges. Virtual dynamic shared object (vdso) hijacking is a method of executing arbitrary code in the address space of a separate live process.
VDSO hijacking involves redirecting calls to dynamically linked shared libraries. Memory protections may prevent writing executable code to a process via Ptrace System Calls. However, an adversary may hijack the syscall interface code stubs mapped into a process from the vdso shared object to execute syscalls to open and map a malicious shared object. This code can then be invoked by redirecting the execution flow of the process via patched memory address references stored in a process' global offset table (which store absolute addresses of mapped library functions).
Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via VDSO hijacking may also evade detection from security products since the execution is masked under a legitimate process.
Detection
ID | DS0009 | Data source and component | Process: OS API Execution | Description | Monitor for malicious usage of system calls, such as ptrace and mmap, that can be used to attach to, manipulate memory, then redirect a processes' execution path. Monitoring for Linux specific calls such as the ptrace system call should not generate large amounts of data due to their specialized nature, and can be a very effective method to detect some of the common process injection methods. |
---|
ID | DS0011 | Data source and component | Module: Module Load | Description | Monitor library load events, especially unusual creation of these binary files followed by loading into processes. Look for libraries that are not recognized or not normally loaded into a process. |
---|
Mitigation
ID | M1040 | Name | Behavior Prevention on Endpoint | Description | Some endpoint security solutions can be configured to block some types of process injection based on common sequences of behavior that occur during the injection process. |
---|