1. Overview

An execution flow hijack attempt incident indicates that a possible attempt to hijack a program execution flow was observed. Special Linux library system files, which have a system-wide effect, were altered (this is usually undesirable, and is typically employed only as an emergency remedy or maliciously).

2. Investigation

The following incident shows that the binary sudo wrote to ld.so.preload file, which is a special Linux system file that impacts the entire system. By editing the Linux dynamic loader or files relied upon by the loader such as ld.so.preload, the attacker can inject malicious code to any binary execution.

For further information about these files, see the following link.

execution flow hijack attempt incident

Your investigation should focus on:

  • Determining the process that opened the Special Linux file.

  • If the source of the alteration was an interactive process (such as shell), determine how an attacker gained access to that process.

  • Review the forensics date for the host, other entries in the Incident Explorer, and audits from the source, looking for unusual process execution, hijacked processes, and explicit execution of commands.

3. Mitigation

A full mitigation strategy for this incident begins by resolving the issues that allowed the attacker to access and modify the system file.

In addition, track the change that was done to the configuration in the system file. For example, in case of detected modification to the ld.so.preload file, look for the shared library that was added to the file and determine the source of this malicious shared library.

Ensure that compliance benchmarks are appropriately applied to the affected resources. For example, if the critical file systems in the host are mounted read-only, it will be more difficult for an attacker to change system files and configurations to their advantage.