Esc
Dynamic Linker Hijacking - T1574.006
(ATT&CK® Technique)
Definition
Adversaries may execute their own malicious payloads by hijacking environment variables the dynamic linker uses to load shared libraries. During the execution preparation phase of a program, the dynamic linker loads specified absolute paths of shared libraries from environment variables and files, such as LD_PRELOAD on Linux or DYLD_INSERT_LIBRARIES on macOS. Libraries specified in environment variables are loaded first, taking precedence over system libraries with the same function name. These variables are often used by developers to debug binaries without needing to recompile, deconflict mapped symbols, and implement custom functions without changing the original library.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1574006["Dynamic Linker Hijacking"] --> |modifies| OperatingSystemConfigurationFile["Operating System Configuration File"]; class T1574006 OffensiveTechniqueNode;
class OperatingSystemConfigurationFile ArtifactNode; click OperatingSystemConfigurationFile href "/dao/artifact/d3f:OperatingSystemConfigurationFile";
click T1574006 href "/offensive-technique/attack/T1574.006/"; click OperatingSystemConfigurationFile href "/dao/artifact/d3f:OperatingSystemConfigurationFile"; DecoyFile["Decoy File"] -->
| spoofs | OperatingSystemConfigurationFile["Operating System Configuration File"];
DecoyFile["Decoy File"] -.->
| may-deceive | T1574006["Dynamic Linker Hijacking"] ;
class DecoyFile DefensiveTechniqueNode;
class OperatingSystemConfigurationFile ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; ContentModification["Content Modification"] -->
| modifies | OperatingSystemConfigurationFile["Operating System Configuration File"];
ContentModification["Content Modification"] -.->
| may-isolate | T1574006["Dynamic Linker Hijacking"] ;
class ContentModification DefensiveTechniqueNode;
class OperatingSystemConfigurationFile ArtifactNode;
click ContentModification href "/technique/d3f:ContentModification"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | OperatingSystemConfigurationFile["Operating System Configuration File"];
FileIntegrityMonitoring["File Integrity Monitoring"] -.->
| may-detect | T1574006["Dynamic Linker Hijacking"] ;
class FileIntegrityMonitoring DefensiveTechniqueNode;
class OperatingSystemConfigurationFile ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; ContentQuarantine["Content Quarantine"] -->
| quarantines | OperatingSystemConfigurationFile["Operating System Configuration File"];
ContentQuarantine["Content Quarantine"] -.->
| may-isolate | T1574006["Dynamic Linker Hijacking"] ;
class ContentQuarantine DefensiveTechniqueNode;
class OperatingSystemConfigurationFile ArtifactNode;
click ContentQuarantine href "/technique/d3f:ContentQuarantine"; FileEviction["File Eviction"] -->
| deletes | OperatingSystemConfigurationFile["Operating System Configuration File"];
FileEviction["File Eviction"] -.->
| may-evict | T1574006["Dynamic Linker Hijacking"] ;
class FileEviction DefensiveTechniqueNode;
class OperatingSystemConfigurationFile ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; SystemFileAnalysis["System File Analysis"] -->
| analyzes | OperatingSystemConfigurationFile["Operating System Configuration File"];
SystemFileAnalysis["System File Analysis"] -.->
| may-detect | T1574006["Dynamic Linker Hijacking"] ;
class SystemFileAnalysis DefensiveTechniqueNode;
class OperatingSystemConfigurationFile ArtifactNode;
click SystemFileAnalysis href "/technique/d3f:SystemFileAnalysis"; ContentFiltering["Content Filtering"] -->
| filters | OperatingSystemConfigurationFile["Operating System Configuration File"];
ContentFiltering["Content Filtering"] -.->
| may-isolate | T1574006["Dynamic Linker Hijacking"] ;
class ContentFiltering DefensiveTechniqueNode;
class OperatingSystemConfigurationFile ArtifactNode;
click ContentFiltering href "/technique/d3f:ContentFiltering"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | OperatingSystemConfigurationFile["Operating System Configuration File"];
RemoteFileAccessMediation["Remote File Access Mediation"] -.->
| may-isolate | T1574006["Dynamic Linker Hijacking"] ;
class RemoteFileAccessMediation DefensiveTechniqueNode;
class OperatingSystemConfigurationFile ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation"; FileEncryption["File Encryption"] -->
| encrypts | OperatingSystemConfigurationFile["Operating System Configuration File"];
FileEncryption["File Encryption"] -.->
| may-harden | T1574006["Dynamic Linker Hijacking"] ;
class FileEncryption DefensiveTechniqueNode;
class OperatingSystemConfigurationFile ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; RestoreFile["Restore File"] -->
| restores | OperatingSystemConfigurationFile["Operating System Configuration File"];
RestoreFile["Restore File"] -.->
| may-restore | T1574006["Dynamic Linker Hijacking"] ;
class RestoreFile DefensiveTechniqueNode;
class OperatingSystemConfigurationFile ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; LocalFilePermissions["Local File Permissions"] -->
| restricts | OperatingSystemConfigurationFile["Operating System Configuration File"];
LocalFilePermissions["Local File Permissions"] -.->
| may-isolate | T1574006["Dynamic Linker Hijacking"] ;
class LocalFilePermissions DefensiveTechniqueNode;
class OperatingSystemConfigurationFile ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; FileAnalysis["File Analysis"] -->
| analyzes | OperatingSystemConfigurationFile["Operating System Configuration File"];
FileAnalysis["File Analysis"] -.->
| may-detect | T1574006["Dynamic Linker Hijacking"] ;
class FileAnalysis DefensiveTechniqueNode;
class OperatingSystemConfigurationFile ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis";