Skip to content

LD_PRELOAD code injection detected


The LdPreload signature identifies the use of LD_PRELOAD and LD_LIBRARY_PATH environment variables, or alterations to the /etc/ file, which can potentially be leveraged for code injection. By preloading certain libraries, adversaries might gain the ability to hijack function calls or manipulate program behavior.


This signature targets three main aspects:

  1. Monitoring environment variables during process execution that are related to library preloading.
  2. Detecting when the /etc/ file is being opened with write permissions.
  3. Observing renaming operations that involve the /etc/ file.

These detections are pivotal, as the unauthorized or unintended use of LD_PRELOAD can allow attackers to change the order in which a program loads its libraries. This could enable them to inject malicious code or redirect specific function calls to other unintended functions.


The primary goal of this signature is to detect and alert on potential code injection attempts that exploit library preloading mechanisms. By detecting alterations or suspicious usage of related environment variables or the preload file, it aids in thwarting attempts by adversaries to subvert application behavior or maintain a malicious foothold on the system.


  • ID: TRC-107
  • Version: 1
  • Name: LD_PRELOAD code injection detected
  • EventName: ld_preload
  • Description: Monitors for the use of LD_PRELOAD or LD_LIBRARY_PATH environment variables and changes to the /etc/ file. These methods can be exploited for malicious code injection or altering program behavior.
  • Properties:
  • Severity: 2
  • Category: persistence
  • Technique: Hijack Execution Flow
  • Kubernetes_Technique: N/A
  • id: attack-pattern--aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6
  • external_id: T1574


When any suspicious or predefined activities are detected, the signature triggers a Finding, signaling a potential threat. This finding contains the event's metadata and might also include data fields specifying the particular environment variable that was used.

Events Used

The signature listens to three event types:

  1. sched_process_exec - Examines environment variables during process execution to detect the usage of LD_PRELOAD or LD_LIBRARY_PATH.
  2. security_file_open - Monitors if the /etc/ file is being accessed with write permissions, indicating potential alterations.
  3. security_inode_rename - Observes renaming operations involving the /etc/ file.

Using these events, the signature provides an extensive defense against unauthorized or malicious utilization of library preloading mechanisms.