Loading AttackTrace...
Loading AttackTrace...
Dynamic Linker Hijacking (T1574.006) is a MITRE ATT&CK technique associated with Stealth, Execution . Adversaries may execute their own malicious payloads by hijacking environment variables the dynamic linker uses to load shared libraries.
Dynamic Linker Hijacking (T1574.006) is a MITRE ATT&CK technique associated with Stealth, Execution. Adversaries may execute their own malicious payloads by hijacking environment variables the dynamic linker uses to load shared libraries.
Attackers use Dynamic Linker Hijacking because it provides a reliable way to advance their objective within the Stealth, Execution tactic, often with a favorable balance of impact versus detectability on Linux, macOS environments. Defenders should assess this behavior in the context of the affected platform and adjacent activity rather than treating it as a standalone indicator.
Adversaries may execute their own malicious payloads by hijacking environment variables the dynamic linker uses to load shared libraries. During the execution preparation phase of a program, the dynamic linker loads specified absolute paths of shared libraries from various environment variables and files, such as <code>LD_PRELOAD</code> on Linux or <code>DYLD_INSERT_LIBRARIES</code> on macOS.(Citation: TheEvilBit DYLD_INSERT_LIBRARIES)(Citation: Timac DYLD_INSERT_LIBRARIES)(Citation: Gabilondo DYLD_INSERT_LIBRARIES Catalina Bypass) Libraries specified in environment variables are loaded first, taking precedence over system libraries with the same function name.(Citation: Man LD.SO)(Citation: TLDP Shared Libraries)(Citation: Apple Doco Archive Dynamic Libraries) Each platform's linker uses an extensive list of environment variables at different points in execution. These variables are often used by developers to debug binaries without needing to recompile, deconflict mapped symbols, and implement custom functions in the original library.(Citation: Baeldung LD_PRELOAD)
Hijacking dynamic linker variables may grant access to the victim process's memory, system/network resources, and possibly elevated privileges. On Linux, adversaries may set <code>LD_PRELOAD</code> to point to malicious libraries that match the name of legitimate libraries which are requested by a victim program, causing the operating system to load the adversary's malicious code upon execution of the victim program. For example, adversaries have used LD_PRELOAD to inject a malicious library into every descendant process of the sshd daemon, resulting in execution under a legitimate process. When the executing sub-process calls the execve function, for example, the malicious library’s execve function is executed rather than the system function execve contained in the system library on disk. This allows adversaries to Hide Artifacts from detection, as hooking system functions such as execve and readdir enables malware to scrub its own artifacts from the results of commands such as ls, ldd, iptables, and dmesg.(Citation: ESET Ebury Oct 2017)(Citation: Intezer Symbiote 2022)(Citation: Elastic Security Labs Pumakit 2024)
Hijacking dynamic linker variables may grant access to the victim process's memory, system/network resources, and possibly elevated privileges.
No universal command represents Dynamic Linker Hijacking. Capture the exact command line, arguments, parent process, account, host, and execution time from the investigated environment; do not operationalize unverified examples.
| Event ID | Log Channel | What It Indicates |
|---|---|---|
| Not universally applicable | Validate platform coverage | This technique may not produce a Windows event; use telemetry native to the affected platform. |
| Sysmon Event ID | Name | Why It's Relevant Here |
|---|---|---|
| Environment-specific | Validate configured telemetry | Use process, network, file, registry, DNS, or image-load telemetry only when relevant and enabled. |
No MITRE detection guidance published for this technique.
Relevant ATT&CK Data Sources: N/A
A universal Sigma rule would create unreliable results because this technique has no single guaranteed observable. Build detection logic from a documented behavior and supported data source, scope it to the affected platform, and validate it against benign administrative activity before deployment.
Start with the data sources named in the detection section. Scope searches by asset, identity, and time window; correlate the primary behavior with preceding access and subsequent actions. A portable query is intentionally not provided where the technique lacks a universal schema or observable.