UNPKG

aiwg

Version:

Deployment tool and support utility for AI context. Copies agents, skills, commands, rules, and behaviors into the paths each AI platform reads (Claude Code, Codex, Copilot, Cursor, Warp, OpenClaw, and 6 more) so one source of truth works across 10 platfo

aiwg.io

jmagly/aiwg

60 lines (59 loc) 2.04 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
title: LD_PRELOAD Rootkit Indicator id: 9f4c1d2e-5a8b-4c7d-9e1f-2b3a4c5d6e7f status: stable description: Detects creation, modification, or access of /etc/ld.so.preload, which is used by LD_PRELOAD rootkits to inject malicious shared libraries into every process on the system. The presence of this file on a production system is a critical indicator of compromise. references: - https://attack.mitre.org/techniques/T1574/006/ - https://www.cyberciti.biz/tips/linux-shared-library-management.html - https://www.chokepoint.net/2014/02/detecting-userland-preload-rootkits.html author: forensics-complete date: 2025-11-14 modified: 2025-11-14 tags: - attack.persistence - attack.t1574.006 - attack.defense_evasion - attack.t1014 logsource: product: linux category: file_change detection: selection: file_path: '/etc/ld.so.preload' condition: selection falsepositives: - Legitimate use of LD_PRELOAD for debugging or performance profiling in development environments this file should not exist on production systems - Some monitoring agents (rarely) that use preloading for syscall interception level: critical fields: - file_path - file_sha256 - file_content - process_name - process_pid - user - timestamp --- # Detection Logic Note # # Direct detection command (no SIEM required): # # ls -la /etc/ld.so.preload && cat /etc/ld.so.preload # # If this file exists: # 1. STOP automated analysis immediately # 2. All standard binaries on this system may be compromised # 3. Use statically-linked binaries from clean media for further collection # 4. Follow red-flag-escalation.md Rule 1 escalation procedures # # Context: /etc/ld.so.preload causes the dynamic linker to load listed # shared libraries into every process before any other library. A malicious # library in this file can intercept and lie about: file listings (ls), # process listings (ps), network connections (netstat/ss), and system calls. # # Example malicious /etc/ld.so.preload content: # /lib/libprocess-hide.so