Executable Masquerading as Kernel Process
Monitors for kernel processes with associated process executable fields that are not empty. Unix kernel processes such as kthreadd and kworker typically do not have process.executable fields associated to them. Attackers may attempt to hide their malicious programs by masquerading as legitimate kernel processes.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/02/01"
3integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
4maturity = "production"
5min_stack_version = "8.13.0"
6min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
7updated_date = "2025/01/15"
8
9[rule]
10author = ["Elastic"]
11description = """
12Monitors for kernel processes with associated process executable fields that are not empty. Unix kernel processes such
13as kthreadd and kworker typically do not have process.executable fields associated to them. Attackers may attempt to
14hide their malicious programs by masquerading as legitimate kernel processes.
15"""
16from = "now-9m"
17index = ["logs-endpoint.events.*", "endgame-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Executable Masquerading as Kernel Process"
21references = ["https://sandflysecurity.com/blog/linux-stealth-rootkit-malware-with-edr-evasion-analyzed/"]
22risk_score = 21
23rule_id = "202829f6-0271-4e88-b882-11a655c590d4"
24setup = """## Setup
25
26
27This rule requires data coming in from Elastic Defend.
28
29### Elastic Defend Integration Setup
30Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
31
32#### Prerequisite Requirements:
33- Fleet is required for Elastic Defend.
34- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
35
36#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
37- Go to the Kibana home page and click "Add integrations".
38- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
39- Click "Add Elastic Defend".
40- Configure the integration name and optionally add a description.
41- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
42- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
43- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
44- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
45For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
46- Click "Save and Continue".
47- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
48For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
49"""
50severity = "low"
51tags = [
52 "Domain: Endpoint",
53 "OS: Linux",
54 "Use Case: Threat Detection",
55 "Tactic: Defense Evasion",
56 "Data Source: Elastic Defend",
57 "Data Source: Elastic Endgame",
58 "Data Source: Crowdstrike",
59 "Data Source: SentinelOne",
60 "Resources: Investigation Guide",
61]
62timestamp_override = "event.ingested"
63type = "eql"
64
65query = '''
66process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2") and
67process.name : ("kworker*", "kthread*") and process.executable != null
68'''
69note = """## Triage and analysis
70
71> **Disclaimer**:
72> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
73
74### Investigating Executable Masquerading as Kernel Process
75
76In Linux environments, kernel processes like `kthreadd` and `kworker` typically run without associated executable paths. Adversaries exploit this by naming malicious executables after these processes to evade detection. The detection rule identifies anomalies by flagging kernel-named processes with non-empty executable fields, indicating potential masquerading attempts. This helps in uncovering stealthy threats that mimic legitimate system activities.
77
78### Possible investigation steps
79
80- Review the process details for the flagged process, focusing on the process.executable field to identify the path and name of the executable. This can provide initial insights into whether the executable is legitimate or potentially malicious.
81- Check the process's parent process (process.parent) to understand the context in which the process was started. This can help determine if the process was spawned by a legitimate system process or a suspicious one.
82- Investigate the file at the path specified in the process.executable field. Verify its legitimacy by checking its hash against known malware databases or using a file reputation service.
83- Examine the process's command line arguments (process.command_line) for any unusual or suspicious parameters that might indicate malicious activity.
84- Review recent system logs and events around the time the process was started to identify any related activities or anomalies that could provide additional context or evidence of compromise.
85- If available, use threat intelligence sources to check for any known indicators of compromise (IOCs) related to the process name or executable path.
86
87### False positive analysis
88
89- Custom scripts or administrative tools may be named similarly to kernel processes for convenience or organizational standards. Review these scripts and tools to ensure they are legitimate and consider adding them to an exception list if verified.
90- Some legitimate software or monitoring tools might use kernel-like names for their processes to integrate closely with system operations. Verify the source and purpose of these processes and exclude them if they are confirmed to be non-malicious.
91- System updates or patches might temporarily create processes with kernel-like names that have executable paths. Monitor these occurrences and exclude them if they are part of a verified update process.
92- Development or testing environments may intentionally use kernel-like names for process simulation. Ensure these environments are isolated and add exceptions for these processes if they are part of controlled testing scenarios.
93
94### Response and remediation
95
96- Isolate the affected system from the network to prevent further spread of the potential threat and to contain any malicious activity.
97- Terminate the suspicious process immediately to stop any ongoing malicious actions. Use process management tools to kill the process identified by the alert.
98- Conduct a forensic analysis of the affected system to identify any additional indicators of compromise (IOCs) and assess the extent of the intrusion.
99- Remove any malicious executables or files associated with the masquerading process from the system to ensure complete remediation.
100- Restore the system from a known good backup if the integrity of the system is compromised, ensuring that the backup is free from any malicious artifacts.
101- Update and patch the system to close any vulnerabilities that may have been exploited by the attacker, ensuring all software and security tools are up to date.
102- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected."""
103
104
105[[rule.threat]]
106framework = "MITRE ATT&CK"
107[[rule.threat.technique]]
108id = "T1036"
109name = "Masquerading"
110reference = "https://attack.mitre.org/techniques/T1036/"
111[[rule.threat.technique.subtechnique]]
112id = "T1036.004"
113name = "Masquerade Task or Service"
114reference = "https://attack.mitre.org/techniques/T1036/004/"
115
116
117[[rule.threat.technique]]
118id = "T1564"
119name = "Hide Artifacts"
120reference = "https://attack.mitre.org/techniques/T1564/"
121
122
123[rule.threat.tactic]
124id = "TA0005"
125name = "Defense Evasion"
126reference = "https://attack.mitre.org/tactics/TA0005/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Executable Masquerading as Kernel Process
In Linux environments, kernel processes like kthreadd
and kworker
typically run without associated executable paths. Adversaries exploit this by naming malicious executables after these processes to evade detection. The detection rule identifies anomalies by flagging kernel-named processes with non-empty executable fields, indicating potential masquerading attempts. This helps in uncovering stealthy threats that mimic legitimate system activities.
Possible investigation steps
- Review the process details for the flagged process, focusing on the process.executable field to identify the path and name of the executable. This can provide initial insights into whether the executable is legitimate or potentially malicious.
- Check the process's parent process (process.parent) to understand the context in which the process was started. This can help determine if the process was spawned by a legitimate system process or a suspicious one.
- Investigate the file at the path specified in the process.executable field. Verify its legitimacy by checking its hash against known malware databases or using a file reputation service.
- Examine the process's command line arguments (process.command_line) for any unusual or suspicious parameters that might indicate malicious activity.
- Review recent system logs and events around the time the process was started to identify any related activities or anomalies that could provide additional context or evidence of compromise.
- If available, use threat intelligence sources to check for any known indicators of compromise (IOCs) related to the process name or executable path.
False positive analysis
- Custom scripts or administrative tools may be named similarly to kernel processes for convenience or organizational standards. Review these scripts and tools to ensure they are legitimate and consider adding them to an exception list if verified.
- Some legitimate software or monitoring tools might use kernel-like names for their processes to integrate closely with system operations. Verify the source and purpose of these processes and exclude them if they are confirmed to be non-malicious.
- System updates or patches might temporarily create processes with kernel-like names that have executable paths. Monitor these occurrences and exclude them if they are part of a verified update process.
- Development or testing environments may intentionally use kernel-like names for process simulation. Ensure these environments are isolated and add exceptions for these processes if they are part of controlled testing scenarios.
Response and remediation
- Isolate the affected system from the network to prevent further spread of the potential threat and to contain any malicious activity.
- Terminate the suspicious process immediately to stop any ongoing malicious actions. Use process management tools to kill the process identified by the alert.
- Conduct a forensic analysis of the affected system to identify any additional indicators of compromise (IOCs) and assess the extent of the intrusion.
- Remove any malicious executables or files associated with the masquerading process from the system to ensure complete remediation.
- Restore the system from a known good backup if the integrity of the system is compromised, ensuring that the backup is free from any malicious artifacts.
- Update and patch the system to close any vulnerabilities that may have been exploited by the attacker, ensuring all software and security tools are up to date.
- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
References
Related rules
- Access Control List Modification via setfacl
- Attempt to Clear Kernel Ring Buffer
- Attempt to Disable Auditd Service
- Attempt to Disable Syslog Service
- Base16 or Base32 Encoding/Decoding Activity