Info
ID: AT-DC003.002
Tactic: Deepening Control
Technique: Exploitation for Defense Evasion
Platforms: Linux, macOS, Windows
Defense Bypassed: Runtime Application Security Monitoring, Dynamic Analysis
Version: 1.0
Shared Library
Shared libraries manipulation, within the context of Deepening Control and Exploitation for Defense Evasion, represents a sophisticated method where attackers leverage the dynamic linking mechanism of operating systems to evade security controls. Adversaries typically replace, modify, or redirect legitimate shared libraries (such as .so files in Linux or .dll files in Windows) to execute malicious code within the trusted context of benign processes. This technique exploits the library search order, preloading mechanisms (like LD_PRELOAD in Linux), or direct modification of system libraries to gain persistence, elevate privileges, or bypass security controls. The effectiveness of this approach stems from how most applications implicitly trust their dependent libraries and how security solutions often struggle to distinguish between legitimate library calls and malicious ones. Attackers may employ techniques such as DLL hijacking, library load-order exploitation, or direct library modification to ensure their malicious code executes whenever the target application loads, allowing them to maintain stealth while deepening their control over the compromised system.
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1022 | Restrict File and Directory Permissions | Implement strict permissions on shared library directories and files |
| M1040 | Behavior Prevention on Endpoint | Implement endpoint detection and response capabilities to monitor library loading |
| M1045 | Code Signing | Implement code signing verification for shared libraries and dynamic link libraries |
Detection
| ID | Data Source | Detection |
|---|---|---|
| DS0022 | File: File Modification | Track modifications or hash changes to system and application shared libraries and compare against trusted baselines to identify tampering or replacement. |
| DS0009 | Process: Process Metadata | Monitor runtime library load events (e.g., LD_PRELOAD, DLL search-order hijacking) and alert when unsigned or untrusted libraries are loaded from non-standard paths. |
| DS0009 | Process: OS API Execution | Profile processes for anomalous API calls originating from newly loaded libraries or unexpected function import tables, indicating malicious code paths. |
| DS0022 | File: File Metadata | Detect unauthorized permission or attribute changes on library directories and files (e.g., sticky bit removal, timestamp stomping) that often precede malicious replacement. |