AN0390: Analytic 0390

Detects credential interception via malicious LD_PRELOAD-based shared libraries loaded into ssh, sudo, or scp processes. Correlates environment variable injection, unexpected library loads, and memory patching behavior.

EnterpriseAN0390AnalyticObject v1.0 Modified Oct 21, 2025, 15:10 UTC (UTC+00:00)

This analytic matters because LD_PRELOAD abuse on Linux can let a malicious shared library intercept credentials from high-value tools such as ssh, sudo, and scp. For leaders, the practical issue is not just malware detection; it is whether Linux identity and administrative workflows can be trusted during an incident.

Executive priority

Prioritize this as a Linux credential-protection and incident-readiness concern. Security leaders should ask whether critical Linux servers collect enough process, environment, library-load, and memory-behavior evidence to prove or disprove credential interception. This also supports audit and response decisions because ssh, sudo, and scp are often tied to privileged access and administrative continuity.

Technical view

The supplied analytic describes correlation across three evidence areas: LD_PRELOAD-style environment variable injection, unexpected shared library loads into ssh/sudo/scp, and memory patching behavior. SOC and IR teams should validate that Linux telemetry can connect process execution, inherited environment variables, loaded shared objects, and suspicious in-memory modification for these processes. Because no official detection logic is provided, teams should treat this as a detection engineering requirement rather than a ready-to-run rule.

Likely telemetry

Linux process execution events for ssh, sudo, and scp
Process environment data, especially LD_PRELOAD-related variables
Shared library or module load telemetry for Linux processes
File metadata and paths for loaded shared objects
Memory modification or patching indicators where available

Detection direction

Validate whether telemetry preserves environment variables at process start; this is a common blind spot.
Baseline legitimate shared libraries normally loaded by ssh, sudo, and scp on managed Linux systems.
Alert on unexpected shared library loads correlated with LD_PRELOAD-related environment injection, rather than relying on a single signal.
Investigate memory patching behavior in these processes when it appears with unusual library loads.
Tune carefully for legitimate administrative, debugging, compatibility, or monitoring use cases that may also rely on preload behavior.

Mitigation priorities

Reduce unnecessary use of LD_PRELOAD in production administrative workflows.
Harden privileged Linux systems so only trusted users and approved paths can influence process environments and shared libraries.
Maintain strong file integrity and change control around shared library locations relevant to privileged tools.
Ensure incident response playbooks include credential rotation and session review when malicious library-based interception is suspected.
Use least privilege and administrative access governance to limit the blast radius if ssh, sudo, or scp credentials are intercepted.

Analyst notes and limits

This take is based on the official analytic description for AN0390 only. The decision value is strongest for Linux environments where ssh, sudo, and scp are used for administration and where defenders can collect process, environment, library-load, and memory-related telemetry.

ATT&CK supplied no official detection logic, no tactics, and no relationship context for this object. This summary does not assert active exploitation, attribution, or guaranteed detection coverage. Local baselines and telemetry availability are required to operationalize the analytic.

Official MITRE ATT&CK definition

Analytic 0390

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Raw hash: 9130d54d4215dd13...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Oct 21, 2025, 15:10 UTC (UTC+00:00)	Current bundle	`9130d54d4215…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN0390
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use