When analyzing malware and adversary activity in Windows environments, DLL injection techniques are commonly used, and there are plenty of resources on how to detect these activities.
When it comes to Linux, this is less commonly seen in the wild.
I recently came across a great blog from TrustedSec that describes a few techniques and tools that can be used to do library injection in Linux. In this blog post, we are going to review some of those techniques and focus on how we can hunt for them using Osquery.
LD_PRELOAD
LD_PRELOAD is the easiest and most popular way to load a shared library in a process at startup. This environmental variable can be configured with a path to the shared library to be loaded before any other shared object.
For most of the blog, we will be using the examples available in GitHub, listed here.
Let&rsquo…
 |
Posted by: Jaime Blasco |
The post Hunting for Linux library injection with Osquery appeared first on Cybersecurity Insiders.
July 03, 2019 at 09:08AM
0 comments:
Post a Comment