From bdff2c312b0b84398797eba4d0e08cd1cff4d0d7 Mon Sep 17 00:00:00 2001
From: yugoslavskiy <daniil@yugoslavskiy.com>
Date: Mon, 11 Nov 2019 01:44:53 +0300
Subject: [PATCH] Update lnx_auditd_ld_so_preload_mod.yml

---
 rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml b/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml
index 97643378a..526e3f965 100644
--- a/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml
+++ b/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml
@@ -1,8 +1,12 @@
 title: Modification of ld.so.preload
 description: Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes.
 status: experimental
-author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert)
+author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community
 date: 2019/10/24
+modified: 2019/11/11
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.yaml
+    - https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html
 tags:
     - attack.defense_evasion
     - attack.t1055
@@ -12,10 +16,8 @@ logsource:
 detection:
     selection:
         type: 'PATH'
-        name:
-            - '/etc/ld.so.preload'
-    condition: selection
+        name: '/etc/ld.so.preload'
     condition: selection
 falsepositives:
-    - unknown
+    - Unknown
 level: medium