T1055.014 VDSO Hijacking Mappings

Adversaries may inject malicious code into processes via VDSO hijacking in order to evade process-based defenses as well as possibly elevate privileges. Virtual dynamic shared object (vdso) hijacking is a method of executing arbitrary code in the address space of a separate live process.

VDSO hijacking involves redirecting calls to dynamically linked shared libraries. Memory protections may prevent writing executable code to a process via Ptrace System Calls. However, an adversary may hijack the syscall interface code stubs mapped into a process from the vdso shared object to execute syscalls to open and map a malicious shared object. This code can then be invoked by redirecting the execution flow of the process via patched memory address references stored in a process' global offset table (which store absolute addresses of mapped library functions).(Citation: ELF Injection May 2009) (Citation: Backtrace VDSO) (Citation: VDSO Aug 2005) (Citation: Syscall 2014)

Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via VDSO hijacking may also evade detection from security products since the execution is masked under a legitimate process.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-6 Least Privilege Protects T1055.014 VDSO Hijacking
SC-18 Mobile Code Protects T1055.014 VDSO Hijacking
SC-7 Boundary Protection Protects T1055.014 VDSO Hijacking
SI-2 Flaw Remediation Protects T1055.014 VDSO Hijacking
SI-3 Malicious Code Protection Protects T1055.014 VDSO Hijacking
SI-4 System Monitoring Protects T1055.014 VDSO Hijacking
azure_defender_for_app_service Azure Defender for App Service technique_scores T1055.014 VDSO Hijacking