Deprecated - Creation of Kernel Module

 1[metadata]
 2creation_date = "2023/08/23"
 3deprecation_date = "2026/02/04"
 4integration = ["endpoint"]
 5maturity = "deprecated"
 6updated_date = "2026/02/04"
 7
 8[rule]
 9author = ["Elastic"]
10building_block_type = "default"
11description = "Identifies activity related to loading kernel modules on Linux via creation of new ko files in the LKM directory.\n"
12from = "now-119m"
13index = ["logs-endpoint.events.*", "endgame-*"]
14interval = "60m"
15language = "eql"
16license = "Elastic License v2"
17name = "Deprecated - Creation of Kernel Module"
18risk_score = 21
19rule_id = "947827c6-9ed6-4dec-903e-c856c86e72f3"
20severity = "low"
21tags = [
22    "Domain: Endpoint",
23    "OS: Linux",
24    "Use Case: Threat Detection",
25    "Tactic: Persistence",
26    "Rule Type: BBR",
27    "Data Source: Elastic Defend",
28    "Data Source: Elastic Endgame",
29]
30timestamp_override = "event.ingested"
31type = "eql"
32
33query = '''
34file where host.os.type == "linux" and event.type in ("change", "creation") and file.path : "/lib/modules/*" and
35file.extension == "ko" and not process.name : (
36  "dpkg", "systemd", "falcon-sensor*", "dnf", "yum", "rpm", "cp"
37)
38'''
39
40
41[[rule.threat]]
42framework = "MITRE ATT&CK"
43[[rule.threat.technique]]
44id = "T1547"
45name = "Boot or Logon Autostart Execution"
46reference = "https://attack.mitre.org/techniques/T1547/"
47[[rule.threat.technique.subtechnique]]
48id = "T1547.006"
49name = "Kernel Modules and Extensions"
50reference = "https://attack.mitre.org/techniques/T1547/006/"
51
52
53
54[rule.threat.tactic]
55id = "TA0003"
56name = "Persistence"
57reference = "https://attack.mitre.org/tactics/TA0003/"