Environment Hijacking
Detects manipulation of system environment, DNS, network resolution, and execution paths to redirect or intercept traffic and commands
9 rules in environment_hijacking.yml
CRITICAL: 1 | HIGH: 6 | MEDIUM: 2
| Rule ID | Severity | Title | Description | Refs |
|---|---|---|---|---|
ld_ | CRITICAL | Dynamic Linker Configuration Tampering | Modifies /etc/ld.so.conf or runs ldconfig with custom paths to inject malicious shared libraries | |
alternatives_ | HIGH | System Alternatives Manipulation | Uses update-alternatives to replace system binaries with attacker-controlled versions | |
etc_ | HIGH | /etc/hosts DNS Hijacking | Modifies /etc/hosts to redirect domain resolution to attacker-controlled IPs | |
library_ | HIGH | Library Search Path Injection | Modifies CLASSPATH, GEM_PATH, NODE_PATH, or other language library paths to load malicious code | |
path_ | HIGH | PATH Environment Variable Manipulation | Prepends a directory to PATH, allowing malicious binaries to shadow legitimate system commands | |
pythonpath_ | HIGH | PYTHONPATH Manipulation | PYTHONPATH is exported, or set to a writable location like /tmp, /var/tmp, or /dev/shm. Python imports the planted module first, giving the attacker code execution as the playbook user. | |
resolv_ | HIGH | DNS Resolver Manipulation | Modifies /etc/resolv.conf to point to attacker-controlled DNS servers | |
motd_ | MEDIUM | MOTD/Profile Script Injection | Injects commands into /etc/profile, /etc/motd, or login scripts that execute on every user login | |
ntp_ | MEDIUM | NTP Server Manipulation | Changes NTP server configuration, potentially enabling time-based authentication bypass |