T1055.014: VDSO Hijacking
Adversaries may inject malicious code into processes via VDSO hijacking in order to evade process-based defenses as well as possibly elevate privileges. Virtual dynamic shared object (vdso) hijacking is a method of executing arbitrary code in the address space of a separate live process.
VDSO hijacking involves redirecting calls to dynamically linked shared libraries. Memory protections may prevent writing executable code to a process via Ptrace System Calls. However, an adversary may hijack the syscall interface code stubs mapped into a process from the vdso shared object to execute syscalls to open and map a malicious shared object. This code can then be invoked by redirecting the execution flow of the process via patched memory address references stored in a process' global offset table (which store absolute addresses of mapped library functions).[1][2][3][4]
Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via VDSO hijacking may also evade detection from security products since the execution is masked under a legitimate process.
Analyst context for executives and security teams
VDSO Hijacking is a Linux process-injection technique where malicious code can run inside another live process by abusing how Linux exposes syscall-related code and shared-library references. The business issue is not the mechanics alone: activity may appear to come from a legitimate process, which can weaken process-name-based monitoring, complicate incident scoping, and create privilege-escalation risk if the targeted process has higher privileges or valuable access.
Executive priority
Treat this as a Linux endpoint and workload visibility problem tied to resilience and incident response readiness. Leaders should ask whether SOC tooling can investigate memory/process tampering on Linux, not just suspicious binaries or command lines. This technique also supports control-prioritization discussions around endpoint behavior prevention, privileged process hardening, and audit evidence showing that Linux systems are monitored for anomalous process behavior rather than only known malware signatures.
Technical view
For SOC, detection engineering, and IR teams, validate coverage for Linux process injection under T1055, specifically behavior consistent with VDSO/GOT-related manipulation and execution flow redirection within a legitimate process. MITRE provides no official detection text for this sub-technique, but the relationship context identifies DET0448, Detection Strategy for VDSO Hijacking on Linux, as relevant. Teams should review whether Linux EDR, kernel/audit telemetry, memory-forensics procedures, and endpoint behavior-prevention controls can surface suspicious process memory changes, unexpected shared object mapping, anomalous syscall behavior, or legitimate processes performing activity inconsistent with their role.
Likely telemetry
- Linux endpoint process telemetry, including parent/child process context and process lineage
- Process memory mapping and shared object load evidence
- Signals of process memory modification or execution flow changes where available
- Kernel, syscall, audit, or EDR events related to suspicious process behavior
- File and library mapping activity involving unexpected shared objects
Detection direction
- Do not rely only on process names, command lines, or allowlists; this behavior is specifically valuable because execution can be masked under a legitimate process.
- Use the DET0448 relationship as the starting point for a Linux-specific detection review for VDSO hijacking.
- Tune analytics around legitimate processes exhibiting unexpected memory, library-mapping, syscall, network, or privilege-related behavior.
- Validate visibility on high-value Linux servers and workloads, not only user endpoints.
- Expect false positives from legitimate debugging, profiling, instrumentation, or security tooling that modifies or inspects process memory; detection should include process role, user context, host criticality, and change windows.
Mitigation priorities
- Prioritize behavior prevention on Linux endpoints and workloads, aligned to MITRE M1040 Behavior Prevention on Endpoint.
- Harden and monitor privileged Linux processes and services whose compromise would create meaningful privilege or data-access exposure.
- Limit unnecessary debugging or process-manipulation capabilities where operationally feasible, and monitor their use closely.
- Use layered controls: endpoint behavior monitoring, least privilege, change control for shared libraries, and response procedures for suspicious in-memory activity.
- For compliance and audit readiness, document what Linux telemetry is collected, how long it is retained, and how analysts investigate suspected process injection.
Analyst notes and limits
This object is a Linux sub-technique of Process Injection with tactics listed as stealth and privilege-escalation. The supplied ATT&CK content emphasizes evasion of process-based defenses and possible privilege elevation through execution inside another process. The most important defensive takeaway is to validate Linux behavioral and memory-level visibility, especially for critical servers and workloads.
MITRE did not provide official detection guidance in the supplied object. The assessment is therefore based on the official description, platform/tactic fields, the parent Process Injection relationship, the DET0448 detection-strategy relationship, and the M1040 mitigation relationship. Local architecture, endpoint tooling, Linux distribution, kernel configuration, and workload behavior are required to determine actual exposure or coverage.
VDSO Hijacking
Adversaries may inject malicious code into processes via VDSO hijacking in order to evade process-based defenses as well as possibly elevate privileges. Virtual dynamic shared object (vdso) hijacking is a method of executing arbitrary code in the address space of a separate live process.
VDSO hijacking involves redirecting calls to dynamically linked shared libraries. Memory protections may prevent writing executable code to a process via Ptrace System Calls. However, an adversary may hijack the syscall interface code stubs mapped into a process from the vdso shared object to execute syscalls to open and map a malicious shared object. This code can then be invoked by redirecting the execution flow of the process via patched memory address references stored in a process' global offset table (which store absolute addresses of mapped library functions).[1][2][3][4]
Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via VDSO hijacking may also evade detection from security products since the execution is masked under a legitimate process.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1055 | Process Injection | This object subtechnique of Process Injection. |
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.0 | Current bundle | b21e167bb40e… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ELF Injection May 2009
O'Neill, R. (2009, May). Modern Day ELF Runtime infection via GOT poisoning. Retrieved March 15, 2020.
Open source URL -
[2]
Backtrace VDSO
backtrace. (2016, April 22). ELF SHARED LIBRARY INJECTION FORENSICS. Retrieved November 17, 2024.
Open source URL -
[3]
VDSO Aug 2005
Petersson, J. (2005, August 14). What is linux-gate.so.1?. Retrieved June 16, 2020.
Open source URL -
[4]
Syscall 2014
Drysdale, D. (2014, July 16). Anatomy of a system call, part 2. Retrieved June 16, 2020.
Open source URL -
[5]
mitre-attack T1055.014Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.