LD_PRELOAD Hijacking
What is LD_PRELOAD Hijacking?
LD_PRELOAD HijackingLinux persistence and library-hijacking technique that uses the LD_PRELOAD environment variable or /etc/ld.so.preload to inject attacker code into dynamically linked processes.
LD_PRELOAD hijacking (MITRE ATT&CK T1574.006) abuses the GNU dynamic linker on Linux and most Unix-like systems. By setting LD_PRELOAD (for a single process or a user shell) or by writing a path to /etc/ld.so.preload (system-wide), an attacker forces ld.so to load a chosen shared object before all other libraries. The malicious .so can hook libc symbols such as readdir, open, accept, or write to hide files and processes, capture credentials, or maintain a userland rootkit. The technique works against non-setuid binaries and is widely used by Linux malware families like HiddenWasp and Symbiote. Defenses: monitor /etc/ld.so.preload for changes (AIDE, auditd), restrict it to root, watch for unexpected LD_PRELOAD usage, and verify libc behavior with statically linked tools.
● Examples
- 01
Writing /usr/lib/libsel.so into /etc/ld.so.preload so every new process loads a userland rootkit.
- 02
Setting LD_PRELOAD for sshd to hook PAM authentication and steal credentials.
● Frequently asked questions
What is LD_PRELOAD Hijacking?
Linux persistence and library-hijacking technique that uses the LD_PRELOAD environment variable or /etc/ld.so.preload to inject attacker code into dynamically linked processes. It belongs to the Attacks & Threats category of cybersecurity.
What does LD_PRELOAD Hijacking mean?
Linux persistence and library-hijacking technique that uses the LD_PRELOAD environment variable or /etc/ld.so.preload to inject attacker code into dynamically linked processes.
How do you defend against LD_PRELOAD Hijacking?
Defences for LD_PRELOAD Hijacking typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for LD_PRELOAD Hijacking?
Common alternative names include: ld.so.preload abuse, Shared library hijack.