attack-ent-t1055-014-vdso-hijacking

name: attack-ent-t1055-014-vdso-hijacking description: "Analyze MITRE ATT&CK T1055.014 VDSO Hijacking in the enterprise matrix. Use for TTP triage, detection engineering, hunting, defensive emulation planning, mitigations, incident response mapping, ATT&CK coverage, or questions mentioning T1055.014, VDSO Hijacking, or enterprise ATT&CK. Adversaries may inject malicious code into processes via VDSO hijacking in order to evade process-based defenses as well as possibly elevate privileges." license: MITRE ATT&CK Terms of Use apply to ATT&CK-derived content. See https://attack.mitre.org/resources/terms-of-use/ metadata: source: mitre-attack/attack-stix-data domain: enterprise attack_id: T1055.014 attack_stix_id: attack-pattern--98be40f2-c86b-4ade-b6fc-4964932040e5 attack_version: "2.0" attack_modified: "2026-04-15T22:30:51.756Z"

MITRE ATT&CK T1055.014: VDSO Hijacking

When to use this skill

Use this skill when the task involves T1055.014, VDSO Hijacking, enterprise ATT&CK, TTP mapping, detection engineering, hunting, incident-response enrichment, control validation, or authorized adversary-emulation planning. Treat it as a defensive analysis aid: keep outputs focused on understanding, detecting, mitigating, and safely validating this ATT&CK sub-technique.

Technique context

• ATT&CK domain: enterprise
• ATT&CK ID: T1055.014
• Technique name: VDSO Hijacking
• Type: sub-technique
• ATT&CK URL: https://attack.mitre.org/techniques/T1055/014
• Tactics: privilege-escalation, stealth
• Platforms: Linux
• Required permissions: Not specified
• Effective permissions: Not specified
• Defenses bypassed: Not specified

ATT&CK description

Adversaries may inject malicious code into processes via VDSO hijacking in order to evade process-based defenses as well as possibly elevate privileges. Virtual dynamic shared object (vdso) hijacking is a method of executing arbitrary code in the address space of a separate live process.

VDSO hijacking involves redirecting calls to dynamically linked shared libraries. Memory protections may prevent writing executable code to a process via Ptrace System Calls. However, an adversary may hijack the syscall interface code stubs mapped into a process from the vdso shared object to execute syscalls to open and map a malicious shared object. This code can then be invoked by redirecting the execution flow of the process via patched memory address references stored in a process' global offset table (which store absolute addresses of mapped library functions).(Citation: ELF Injection May 2009)(Citation: Backtrace VDSO)(Citation: VDSO Aug 2005)(Citation: Syscall 2014)

Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via VDSO hijacking may also evade detection from security products since the execution is masked under a legitimate process.

Agent workflow

1. Clarify scope: identify the system, asset class, log sources, cloud or endpoint platform, and whether the user wants triage, detection, coverage assessment, or safe emulation planning.
2. Load bundled resources as needed: use references/technique-profile.json for structured metadata, references/detection-and-mitigation.md for triage and telemetry guidance, references/known-threat-context.md for ATT&CK relationship context, and templates/ for repeatable outputs.
3. Map observations to ATT&CK: compare the user's evidence to the ATT&CK description, tactics, platforms, and known procedure patterns before asserting a match.
4. Produce defensive outputs: prioritize hypotheses, telemetry requirements, detection logic ideas, validation steps, containment guidance, and mitigations.
5. Preserve uncertainty: distinguish confirmed evidence, plausible indicators, assumptions, and gaps. Recommend what to collect next.
6. Stay safe: do not provide malware, credential theft, persistence, evasion, destructive automation, or unauthorized exploitation instructions. For adversary emulation, keep steps bounded to approved lab or control-validation contexts and omit operational abuse details.

Bundled resources

• references/technique-profile.json: machine-readable ATT&CK metadata for this technique.
• references/detection-and-mitigation.md: detection notes, telemetry checklist, triage questions, mitigation candidates, and false-positive considerations.
• references/known-threat-context.md: ATT&CK relationship context with attribution cautions.
• templates/detection-brief.md: detection engineering brief template.
• templates/hunt-plan.md: threat hunt plan template.
• templates/incident-response-note.md: incident response note template.
• templates/coverage-assessment.md: ATT&CK coverage assessment template.
• scripts/render_brief.py: local helper that renders a Markdown defensive brief from technique-profile.json.
• assets/output-schema.json: JSON schema for structured technique analysis outputs.

To generate a quick brief, run python scripts/render_brief.py --output brief.md from inside this skill directory, or adapt the templates directly.

Detection guidance

No ATT&CK detection guidance was present in the source STIX object.

Useful telemetry and data sources

• Not specified in the STIX object.

Mitigations to consider

• Behavior Prevention on Endpoint

Known threat context

Use these examples only as contextual leads, not as proof that an observed event is this technique:

• No group or software uses relationships were included for this technique in the source STIX bundle.

Recommended output pattern

When responding with this skill, structure the answer as:

• Assessment: whether the evidence supports this ATT&CK mapping and why.
• Evidence: specific indicators, logs, behaviors, and assumptions.
• Detection: telemetry sources, analytic logic, and tuning considerations.
• Response: containment, eradication, recovery, and validation actions.
• Coverage gaps: missing logs, sensors, controls, or environmental details.
• References: include the ATT&CK URL and any user-provided evidence references.