Techniques
Sample rules
Disable ASLR Via Personality Syscall - Linux
- source: sigma
- technicques:
- t1055
- t1055.009
- t1562
- t1562.001
Description
Detects the use of the personality syscall with the ADDR_NO_RANDOMIZE flag (0x0040000),
which disables Address Space Layout Randomization (ASLR) in Linux. This is often used by attackers
exploit development, or to bypass memory protection mechanisms.
A successful use of this flag can reduce the effectiveness of ASLR and make memory corruption
attacks more reliable.
Detection logic
condition: selection
selection:
a0: 40000
syscall: 135
type: SYSCALL