AN0053: Analytic 0053
A process loads a shared object (.so) via dlopen/LD_PRELOAD/open from non-standard or temporary locations (e.g., /tmp, /dev/shm), especially shortly after that .so is written or fetched, or linked via manipulated environment variables (LD_PRELOAD/LD_LIBRARY_PATH).
Analyst context for executives and security teams
This analytic matters because unexpected Linux shared library loading from temporary or non-standard paths can indicate software behavior that bypasses normal deployment and change-control expectations. For leaders, the decision value is not simply “detect a .so load,” but whether critical Linux workloads have enough process, file, and environment-variable visibility to distinguish legitimate administration or application behavior from suspicious runtime manipulation.
Executive priority
Prioritize this where Linux systems support business-critical services, regulated workloads, or incident response evidence requirements. The key executive question is whether the organization can prove what code was loaded by important processes, from where, and shortly after what file activity. That evidence supports SOC triage, containment decisions, auditability of runtime integrity controls, and prioritization of hardening around temporary directories and library search paths.
Technical view
Validate coverage for Linux processes that load shared objects via dlopen, LD_PRELOAD, open, or related library search behavior from locations such as /tmp and /dev/shm. The supplied analytic emphasizes correlation: a shared object loaded from a non-standard or temporary location is more meaningful when the same file was recently written or fetched, or when LD_PRELOAD or LD_LIBRARY_PATH appears manipulated. Because no official detection logic or tactic mapping is supplied, teams should treat this as a detection design requirement rather than a ready-to-run rule.
Likely telemetry
- Linux process execution and parent/child process context
- File creation, modification, and write events for shared object files
- File open/load activity involving .so files where available
- Environment variables associated with process launch, especially LD_PRELOAD and LD_LIBRARY_PATH
- Command-line arguments and working directory context
Detection direction
- Correlate shared object loads from temporary or non-standard paths with recent file write or fetch activity for the same .so file.
- Tune for legitimate software installers, package managers, build pipelines, security tools, and application runtimes that may use temporary directories during normal operation.
- Pay special attention to privileged, long-running, internet-facing, or business-critical Linux processes loading libraries from unusual locations.
- Validate whether telemetry can capture environment variables at process start; lack of LD_PRELOAD or LD_LIBRARY_PATH visibility is a major blind spot for this analytic.
- Baseline expected library paths for important services so that non-standard paths are not treated in isolation without process and asset context.
Mitigation priorities
- Reduce unnecessary execution and library loading from temporary locations through Linux hardening and filesystem mount options where operationally feasible.
- Restrict write access to sensitive application and service directories, and review where critical services are permitted to load shared libraries from.
- Use change control and configuration management to define expected library paths for critical workloads.
- Harden service startup environments to prevent unauthorized or unexpected LD_PRELOAD and LD_LIBRARY_PATH values.
- Ensure incident response playbooks preserve process, file, and environment-variable evidence before remediation.
Analyst notes and limits
This object is a MITRE detection analytic for Linux and provides a behavioral description but no official detection implementation, no tactics, and no relationship context. The strongest use is as a coverage-validation prompt for SOC engineering and Linux hardening reviews, especially around runtime library loading and temporary-path file activity.
The supplied ATT&CK fields do not identify associated techniques, tactics, adversaries, campaigns, mitigations, or active exploitation. Local baselines are required to separate suspicious shared object loading from legitimate administrative, development, packaging, or application behavior.
Analytic 0053
A process loads a shared object (.so) via dlopen/LD_PRELOAD/open from non-standard or temporary locations (e.g., /tmp, /dev/shm), especially shortly after that .so is written or fetched, or linked via manipulated environment variables (LD_PRELOAD/LD_LIBRARY_PATH).
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | f6873a0b42bb… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0053Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.