Esc

Dynamic Linker Hijacking - T1574.006

(ATT&CK® Technique)

Definition

Adversaries may execute their own malicious payloads by hijacking environment variables the dynamic linker uses to load shared libraries. During the execution preparation phase of a program, the dynamic linker loads specified absolute paths of shared libraries from environment variables and files, such as LD_PRELOAD on Linux or DYLD_INSERT_LIBRARIES on macOS. Libraries specified in environment variables are loaded first, taking precedence over system libraries with the same function name. These variables are often used by developers to debug binaries without needing to recompile, deconflict mapped symbols, and implement custom functions without changing the original library.

D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.

        graph LR;

     T1574006["Dynamic Linker Hijacking"] --> |modifies| OperatingSystemConfigurationFile["Operating System Configuration File"]; class T1574006 OffensiveTechniqueNode;
        class OperatingSystemConfigurationFile ArtifactNode; click OperatingSystemConfigurationFile href "/dao/artifact/d3f:OperatingSystemConfigurationFile";
        click T1574006 href "/offensive-technique/attack/T1574.006/"; click OperatingSystemConfigurationFile href "/dao/artifact/d3f:OperatingSystemConfigurationFile";             FileIntegrityMonitoring["File Integrity Monitoring"] -->
          | analyzes | OperatingSystemConfigurationFile["Operating System Configuration File"];

          FileIntegrityMonitoring["File Integrity Monitoring"] -.->
            | may-detect | T1574006["Dynamic Linker Hijacking"] ;
          class FileIntegrityMonitoring DefensiveTechniqueNode;
          class OperatingSystemConfigurationFile ArtifactNode;
          click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; DecoyFile["Decoy File"] -->
          | spoofs | OperatingSystemConfigurationFile["Operating System Configuration File"];

          DecoyFile["Decoy File"] -.->
            | may-deceive | T1574006["Dynamic Linker Hijacking"] ;
          class DecoyFile DefensiveTechniqueNode;
          class OperatingSystemConfigurationFile ArtifactNode;
          click DecoyFile href "/technique/d3f:DecoyFile";                           FileEviction["File Eviction"] -->
          | deletes | OperatingSystemConfigurationFile["Operating System Configuration File"];

          FileEviction["File Eviction"] -.->
            | may-evict | T1574006["Dynamic Linker Hijacking"] ;
          class FileEviction DefensiveTechniqueNode;
          class OperatingSystemConfigurationFile ArtifactNode;
          click FileEviction href "/technique/d3f:FileEviction";              FileAnalysis["File Analysis"] -->
          | analyzes | OperatingSystemConfigurationFile["Operating System Configuration File"];

          FileAnalysis["File Analysis"] -.->
            | may-detect | T1574006["Dynamic Linker Hijacking"] ;
          class FileAnalysis DefensiveTechniqueNode;
          class OperatingSystemConfigurationFile ArtifactNode;
          click FileAnalysis href "/technique/d3f:FileAnalysis"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
          | isolates | OperatingSystemConfigurationFile["Operating System Configuration File"];

          RemoteFileAccessMediation["Remote File Access Mediation"] -.->
            | may-isolate | T1574006["Dynamic Linker Hijacking"] ;
          class RemoteFileAccessMediation DefensiveTechniqueNode;
          class OperatingSystemConfigurationFile ArtifactNode;
          click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation";                           FileEncryption["File Encryption"] -->
          | encrypts | OperatingSystemConfigurationFile["Operating System Configuration File"];

          FileEncryption["File Encryption"] -.->
            | may-harden | T1574006["Dynamic Linker Hijacking"] ;
          class FileEncryption DefensiveTechniqueNode;
          class OperatingSystemConfigurationFile ArtifactNode;
          click FileEncryption href "/technique/d3f:FileEncryption";              LocalFilePermissions["Local File Permissions"] -->
          | restricts | OperatingSystemConfigurationFile["Operating System Configuration File"];

          LocalFilePermissions["Local File Permissions"] -.->
            | may-isolate | T1574006["Dynamic Linker Hijacking"] ;
          class LocalFilePermissions DefensiveTechniqueNode;
          class OperatingSystemConfigurationFile ArtifactNode;
          click LocalFilePermissions href "/technique/d3f:LocalFilePermissions";              RestoreFile["Restore File"] -->
          | restores | OperatingSystemConfigurationFile["Operating System Configuration File"];

          RestoreFile["Restore File"] -.->
            | may-restore | T1574006["Dynamic Linker Hijacking"] ;
          class RestoreFile DefensiveTechniqueNode;
          class OperatingSystemConfigurationFile ArtifactNode;
          click RestoreFile href "/technique/d3f:RestoreFile";              SystemFileAnalysis["System File Analysis"] -->
          | analyzes | OperatingSystemConfigurationFile["Operating System Configuration File"];

          SystemFileAnalysis["System File Analysis"] -.->
            | may-detect | T1574006["Dynamic Linker Hijacking"] ;
          class SystemFileAnalysis DefensiveTechniqueNode;
          class OperatingSystemConfigurationFile ArtifactNode;
          click SystemFileAnalysis href "/technique/d3f:SystemFileAnalysis";

json