Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1209: Analytic 1209

Detection focuses on identifying abuse of LD_PRELOAD and related linker variables. Defender perspective: monitor unexpected setting or modification of LD_PRELOAD in shell initialization scripts or environment exports, file creation of suspicious shared libraries, and correlation of these modifications with anomalous process execution. Key signals include execve events with LD_PRELOAD defined, newly created .so files in user directories, and processes hooking libc functions exhibiting abnormal behavior.

EnterpriseAN1209AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic matters because abuse of LD_PRELOAD and related Linux linker environment variables can let unwanted code run inside otherwise legitimate processes. For leaders, the practical issue is visibility: if Linux endpoint, server, or workload telemetry does not capture environment variables, shell startup changes, suspicious shared-object files, and process execution context, this behavior may blend into normal administration activity.

Executive priority

Prioritize this as a Linux detection-readiness and incident-response validation item. It is most useful for assessing whether SOC teams can connect changes to shell initialization or environment exports with later anomalous process execution. The business decision is not just whether a rule exists, but whether Linux logging, endpoint coverage, and response playbooks can prove when linker-variable abuse occurred and what processes were affected.

Technical view

Validate collection and correlation around Linux execve activity where LD_PRELOAD is defined, modifications to shell initialization scripts or environment exports, creation of new .so files in user directories, and abnormal behavior from processes that appear to hook libc functions. Because no ATT&CK tactic or relationship context is supplied, treat this analytic as behavior-focused detection logic rather than a complete attack narrative. SOC teams should test whether telemetry preserves process environment data and file-creation context with enough fidelity to link the variable change, shared library creation, and subsequent process execution.

Likely telemetry

  • Linux process execution events, especially execve with captured environment variables
  • Environment variable setting or export activity involving LD_PRELOAD or related linker variables
  • File modification events for shell initialization scripts
  • File creation events for shared libraries, especially .so files in user directories
  • Process behavior telemetry that can indicate abnormal execution or libc function hooking

Detection direction

  • Confirm whether Linux telemetry actually captures environment variables at process start; many deployments collect process names and arguments but not full environment context.
  • Correlate LD_PRELOAD presence with recent shell initialization changes, environment exports, or newly created shared libraries rather than alerting on the variable alone.
  • Tune for expected administrative, development, or troubleshooting use of preload mechanisms to reduce false positives.
  • Review user-directory .so creation followed by process execution as a higher-value signal than isolated file creation.
  • Because official detection content and relationship context are not supplied, validate locally which processes, users, and paths are normal before treating activity as suspicious.

Mitigation priorities

  • Establish baseline visibility for Linux process execution, environment variables, shell initialization files, and shared-library file creation.
  • Limit unnecessary ability for users or services to modify startup scripts and load arbitrary shared libraries where operationally feasible.
  • Ensure incident response procedures include collecting affected process details, environment context, modified startup files, and suspicious .so artifacts.
  • Use change-control and compliance evidence to show that Linux monitoring covers persistence- or execution-relevant environment changes where required.
Analyst notes and limits

The supplied object is a detection analytic for Linux focused on LD_PRELOAD and related linker-variable abuse. It provides useful signal guidance but no ATT&CK tactics, no related techniques, and no formal detection block. Glexia’s interpretation therefore emphasizes validation of telemetry and correlation rather than asserting a specific adversary objective or campaign use.

This take is constrained to the supplied ATT&CK fields. No active exploitation, attribution, impact, guaranteed detection coverage, or non-Linux applicability is implied. Local baselines are required to distinguish legitimate preload use from suspicious activity.

Official MITRE ATT&CK definition

Analytic 1209

Detection focuses on identifying abuse of LD_PRELOAD and related linker variables. Defender perspective: monitor unexpected setting or modification of LD_PRELOAD in shell initialization scripts or environment exports, file creation of suspicious shared libraries, and correlation of these modifications with anomalous process execution. Key signals include execve events with LD_PRELOAD defined, newly created .so files in user directories, and processes hooking libc functions exhibiting abnormal behavior.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
b49a380857b1db33...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle b49a380857b1…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1209
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use