Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.Implementations for Linux and OS X/macOS systems include: (Citation: Datawire Code Injection) (Citation: Uninformed Needle)
- LD_PRELOAD, LD_LIBRARY_PATH (Linux), DYLD_INSERT_LIBRARIES (Mac OS X) environment variables, or the dlfcn application programming interface (API) can be used to dynamically load a library (shared object) in a process which can be used to intercept API calls from the running process. (Citation: Phrack halfdead 1997)
echo #{path_to_shared_library} > /etc/ld.so.preload
echo /home/$USER/random.so > /etc/ld.so.preload
auditlogs (audit.rules)
bash_history logs
index=linux sourcetype=linux_audit preload_lib
-w /etc/ld.so.preload -p wa -k preload_lib
index=linux sourcetype="bash_history" ld.so.preload | table host,user_name,bash_command