Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0448: Detection Strategy for VDSO Hijacking on Linux

DET0448 is a MITRE detection strategy object for detecting VDSO Hijacking on Linux. The business significance is that this behavior is tied to stealth and...

EnterpriseDET0448Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0448 is a MITRE detection strategy object for detecting VDSO Hijacking on Linux. The business significance is that this behavior is tied to stealth and privilege-escalation: an adversary may run code inside another live process in a way that can evade process-based defenses. For leaders, the key question is not whether this specific ATT&CK detection strategy contains ready-to-use logic—it does not in the supplied fields—but whether Linux monitoring, memory/process investigation, and incident response playbooks can recognize suspicious in-process code execution rather than relying only on process names or command lines.

Executive priority

Prioritize this as a Linux detection and incident-response readiness issue where Linux hosts support critical services, privileged workloads, or regulated systems. Because the related technique is associated with stealth and privilege escalation, coverage decisions should focus on whether the organization can produce defensible evidence during an incident: process memory indicators, process relationships, security control alerts, and host-level investigation data. Budget and control discussions should challenge any assumption that process-based allowlisting or basic EDR process telemetry alone is sufficient.

Technical view

The supplied ATT&CK object has no official description or detection text, but it detects T1055.014, VDSO Hijacking, on Linux. SOC and detection engineering teams should validate whether existing Linux telemetry can expose suspicious manipulation or execution within a live process address space, especially where normal process-based signals may not show a new malicious process. IR teams should ensure Linux triage procedures include memory-aware investigation and review of suspicious privilege-escalation or stealth behavior rather than stopping at process listings.

Likely telemetry

  • Linux host process telemetry, including process ancestry and command-line context
  • Endpoint security or EDR alerts related to process injection, memory manipulation, or suspicious in-process execution
  • Linux audit or system-call oriented telemetry where available and appropriate
  • Process memory inspection artifacts collected during incident response
  • Privilege-escalation indicators associated with affected Linux processes

Detection direction

  • Validate whether Linux detections look beyond new process creation and can identify suspicious behavior occurring inside an existing process.
  • Tune correlation around stealth and privilege-escalation context, such as unexpected privileged process behavior or suspicious interactions with live processes.
  • Review blind spots where Linux servers have limited EDR, no audit collection, or no ability to preserve memory/process artifacts during response.
  • Use the relationship to T1055.014 as the main technical anchor; the DET0448 object itself does not provide official analytic logic in the supplied fields.
  • Account for false positives from legitimate debugging, observability, performance tooling, or administrative activity that may interact with live process state.

Mitigation priorities

  • First, identify Linux systems where stealthy in-process execution would materially affect business continuity or privileged access risk.
  • Ensure endpoint monitoring and response tooling is deployed and operational on those Linux systems, not only on user endpoints.
  • Restrict and monitor administrative/debugging capabilities that can interact with live processes, consistent with operational requirements.
  • Build incident response procedures for Linux memory/process triage so analysts can preserve evidence when process-based telemetry is inconclusive.
  • Use detection validation exercises to confirm that SOC workflows escalate suspicious Linux privilege-escalation and process-injection-like behavior.
Analyst notes and limits

This take is based on a detection strategy object, DET0448, and its supplied relationship to ATT&CK technique T1055.014, VDSO Hijacking. The relationship supplies the most useful context: Linux platform, stealth and privilege-escalation tactics, and the concept of injecting arbitrary code into another live process address space by redirecting calls associated with dynamically linked shared libraries.

The supplied DET0448 fields contain no official description, no official detection guidance, no tactics, and no platforms on the detection-strategy object itself. Linux, stealth, privilege-escalation, and the behavioral description come from the related T1055.014 technique context. Local telemetry availability, tool capability, and baseline administrative activity must be validated before treating any detection approach as effective.

Official MITRE ATT&CK definition

Detection Strategy for VDSO Hijacking on Linux

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1055.014 VDSO Hijacking Sub-technique This object detects VDSO Hijacking.
Relationship explorer

All related ATT&CK context

detects · Technique T1055.014: VDSO Hijacking Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
4fcbf8f2bcf49592...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 4fcbf8f2bcf4…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0448
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use