Skip to content

Hide Navigation Hide TOC

Disable ASLR Via Personality Syscall - Linux (e497a24e-9345-4a62-9803-b06d7d7cb132)

Detects the use of the personality syscall with the ADDR_NO_RANDOMIZE flag (0x0040000), which disables Address Space Layout Randomization (ASLR) in Linux. This is often used by attackers exploit development, or to bypass memory protection mechanisms. A successful use of this flag can reduce the effectiveness of ASLR and make memory corruption attacks more reliable.

Cluster A Galaxy A Cluster B Galaxy B Level
Disable ASLR Via Personality Syscall - Linux (e497a24e-9345-4a62-9803-b06d7d7cb132) Sigma-Rules Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 1
Disable ASLR Via Personality Syscall - Linux (e497a24e-9345-4a62-9803-b06d7d7cb132) Sigma-Rules Proc Memory - T1055.009 (d201d4cc-214d-4a74-a1ba-b3fa09fd4591) Attack Pattern 1
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern Proc Memory - T1055.009 (d201d4cc-214d-4a74-a1ba-b3fa09fd4591) Attack Pattern 2