Disable ASLR Via Personality Syscall - Linux

Original Source: [Sigma source]

Title: Disable ASLR Via Personality Syscall - Linux
Status: experimental
Description:Detects the use of the `personality` syscall with the ADDR_NO_RANDOMIZE flag (0x0040000), which disables Address Space Layout Randomization (ASLR) in Linux. This is often used by attackers exploit development, or to bypass memory protection mechanisms. A successful use of this flag can reduce the effectiveness of ASLR and make memory corruption attacks more reliable.
References:
-https://github.com/CheraghiMilad/bypass-Neo23x0-auditd-config/blob/f1c478a37911a5447d5ffcd580f22b167bf3df14/personality-syscall/README.md
-https://man7.org/linux/man-pages/man2/personality.2.html
-https://manual.cs50.io/2/personality
Author: Milad Cheraghi
Date: 2025-05-26
modified:2025-06-05
Tags:

-'attack.defense-evasion'
-'attack.t1562.001'
-'attack.t1055.009'

Logsource:

product: linux
service: auditd

Detection:
selection:
type: 'SYSCALL'
syscall: 'personality'
a0: '40000'
condition:selection
Falsepositives:
-Debugging or legitimate software testing
Level: low

Sign Up to Personalize and Manage Your Detection

Disable ASLR Via Personality Syscall - Linux