Persistence via Kernel Module Modification
Identifies loadable kernel module errors, which are often indicative of potential persistence attempts.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/02/18"
3deprecation_date = "2021/04/15"
4maturity = "deprecated"
5updated_date = "2021/04/15"
6
7[rule]
8author = ["Elastic"]
9description = "Identifies loadable kernel module errors, which are often indicative of potential persistence attempts."
10false_positives = [
11 """
12 Security tools and device drivers may run these programs in order to load legitimate kernel modules. Use of these
13 programs by ordinary users is uncommon.
14 """,
15]
16from = "now-9m"
17index = ["auditbeat-*", "logs-endpoint.events.*"]
18language = "kuery"
19license = "Elastic License v2"
20name = "Persistence via Kernel Module Modification"
21references = [
22 "https://www.hackers-arise.com/single-post/2017/11/03/Linux-for-Hackers-Part-10-Loadable-Kernel-Modules-LKM",
23]
24risk_score = 21
25rule_id = "81cc58f5-8062-49a2-ba84-5cc4b4d31c40"
26severity = "low"
27tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence"]
28timestamp_override = "event.ingested"
29type = "query"
30
31query = '''
32event.category:process and event.type:(start or process_started) and process.name:(insmod or kmod or modprobe or rmod)
33'''
34
35
36[[rule.threat]]
37framework = "MITRE ATT&CK"
38[[rule.threat.technique]]
39id = "T1547"
40name = "Boot or Logon Autostart Execution"
41reference = "https://attack.mitre.org/techniques/T1547/"
42[[rule.threat.technique.subtechnique]]
43id = "T1547.006"
44name = "Kernel Modules and Extensions"
45reference = "https://attack.mitre.org/techniques/T1547/006/"
46
47
48
49[rule.threat.tactic]
50id = "TA0003"
51name = "Persistence"
52reference = "https://attack.mitre.org/tactics/TA0003/"
References
Related rules
- Potential Persistence via Cron Job
- Base64 Encoding/Decoding Activity
- Hex Encoding/Decoding Activity
- Mknod Process Activity
- Network Sniffing via Tcpdump