Appearance
Environment Variables Detection Mechanism
Monitor and analyze environment variable operations to catch attacks using dynamic linker tricks, credential theft, or persistence through environment tampering.
Overview
Jibril tracks environment-related activity to detect abuse of dynamic linker variables, secret extraction from process environments, and persistence using environment files.
How It Works
Process Environment Tracking
- Use of dynamic linker variables
- Access to other processes’ environment files
- Other mechanisms of environment tampering
Contextual Analysis
Links environment to their context:
- What environment variables were set or used
- Who accessed or changed environments
- Correlation with related file access or execution patterns
Use Cases
Detection Capabilities
Dynamic Linker Attacks
- LD_PRELOAD or LD_LIBRARY_PATH hijacking
- Shared library preloading attacks
Process Tampering
- Runtime modification via environment
- Library/function hooking
- API interception
Credential Exposure
- Processes reading credentials, API keys, or tokens from other processes’ environments
Persistence
- Boot or login persistence through /etc/ld.so.preload or shell configs
- Automatic library loading