Skip to content

Hide Navigation Hide TOC

ASLR Disabled Via Sysctl or Direct Syscall - Linux (e497a24e-9345-4a62-9803-b06d7d7cb132)

Detects actions that disable Address Space Layout Randomization (ASLR) in Linux, including: - Use of the personality syscall with the ADDR_NO_RANDOMIZE flag (0x0040000) - Modification of the /proc/sys/kernel/randomize_va_space file - Execution of the sysctl command to set kernel.randomize_va_space=0 Disabling ASLR is often used by attackers during exploit development or to bypass memory protection mechanisms. A successful use of these methods can reduce the effectiveness of ASLR and make memory corruption attacks more reliable.

Cluster A Galaxy A Cluster B Galaxy B Level
ASLR Disabled Via Sysctl or Direct Syscall - Linux (e497a24e-9345-4a62-9803-b06d7d7cb132) Sigma-Rules Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 1
ASLR Disabled Via Sysctl or Direct Syscall - Linux (e497a24e-9345-4a62-9803-b06d7d7cb132) Sigma-Rules Proc Memory - T1055.009 (d201d4cc-214d-4a74-a1ba-b3fa09fd4591) Attack Pattern 1
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern Proc Memory - T1055.009 (d201d4cc-214d-4a74-a1ba-b3fa09fd4591) Attack Pattern 2