Disable ASLR Via Personality Syscall - Linux

Rule Info

Name
Disable ASLR Via Personality Syscall - Linux
Author
Milad Cheraghi
Description
Detects the use of the `personality` syscall with the ADDR_NO_RANDOMIZE flag (0x0040000), which disables Address Space Layout Randomization (ASLR) in Linux. This is often used by attackers exploit development, or to bypass memory protection mechanisms. A successful use of this flag can reduce the effectiveness of ASLR and make memory corruption attacks more reliable.
Reference
https://github.com/CheraghiMilad/bypass-Neo23x0-auditd-config/blob/f1c478a37911a5447d5ffcd580f22b167bf3df14/personality-syscall/README.md
Date
2025-05-26 00:00:00
Modified
2025-06-05 00:00:00
Id
e497a24e-9345-4a62-9803-b06d7d7cb132
Tags
attack.defense-evasion attack.t1562.001 attack.t1055.009
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=e497a24e-9345-4a62-9803-b06d7d7cb132

Rule History

Author
Title
Date
Commit
phantinuss
Merge PR #5467 from @phantinuss - use syscall names instead of ids
2025-06-05
298e18c9c
Milad Cheraghi
Merge PR #5441 from @CheraghiMilad - chore: update reference
2025-05-31
a5e070fc9
Milad Cheraghi
Merge PR #5435 from @CheraghiMilad - Disable ASLR Via Personality Syscall - Linux
2025-05-28
9ebd94a00
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022