Suspicious Kernel Feature Activity

 1[metadata]
 2creation_date = "2025/04/29"
 3integration = ["endpoint"]
 4maturity = "production"
 5updated_date = "2025/04/29"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10This rule detects the modification and reading of kernel features through built-in commands. Attackers may collect
11information, disable or weaken Linux kernel protections. For example, an attacker may modify ASLR protection by
12disabling kernel.randomize_va_space, allow ptrace by setting kernel.yama.ptrace_scope to 0, or disable the
13NMI watchdog by setting kernel.nmi_watchdog to 0. These changes may be used to impair defenses and evade detection.
14"""
15from = "now-9m"
16index = [
17    "logs-endpoint.events.process*",
18]
19language = "eql"
20license = "Elastic License v2"
21name = "Suspicious Kernel Feature Activity"
22risk_score = 21
23rule_id = "3aff6ab1-18bd-427e-9d4c-c5732110c261"
24severity = "low"
25tags = [
26    "Domain: Endpoint",
27    "OS: Linux",
28    "Use Case: Threat Detection",
29    "Tactic: Defense Evasion",
30    "Tactic: Discovery",
31    "Data Source: Elastic Defend",
32]
33timestamp_override = "event.ingested"
34type = "eql"
35query = '''
36process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
37process.command_line : (
38  "*/etc/sysctl.conf*", "*/etc/sysctl.d/*", "*/proc/sys/kernel/nmi_watchdog*",
39  "*/proc/sys/vm/nr_hugepages*", "*/proc/sys/kernel/yama/ptrace_scope*",
40  "*/proc/sys/kernel/randomize_va_space*", "*/proc/sys/vm/drop_caches*",
41  "*/proc/sys/kernel/sysrq*", "*grsecurity*", "*exec-shield*",
42  "*kernel.randomize_va_space*", "*kernel.yama.ptrace_scope*",
43  "*kernel.nmi_watchdog*", "*vm.nr_hugepages*", "*vm.drop_caches*",
44  "*kernel.sysrq*"
45) and
46process.parent.executable != null and 
47(
48  (process.name == "tee" and process.args like "-*a*") or // also detects --append
49  (process.name == "cat" and not process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")) or
50  (process.name == "grep" and process.args_count == 3 and not process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")) or
51  (process.name == "sysctl" and process.args like ("*-w*", "*--write*", "*=*")) or
52  (process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and process.args == "-c" and process.args : "*echo *")
53)
54'''
55
56[[rule.threat]]
57framework = "MITRE ATT&CK"
58
59[rule.threat.tactic]
60name = "Defense Evasion"
61id = "TA0005"
62reference = "https://attack.mitre.org/tactics/TA0005/"
63
64[[rule.threat.technique]]
65name = "Impair Defenses"
66id = "T1562"
67reference = "https://attack.mitre.org/techniques/T1562/"
68
69[[rule.threat.technique.subtechnique]]
70name = "Indicator Blocking"
71id = "T1562.006"
72reference = "https://attack.mitre.org/techniques/T1562/006/"
73
74[[rule.threat.technique]]
75name = "Subvert Trust Controls"
76id = "T1553"
77reference = "https://attack.mitre.org/techniques/T1553/"
78
79[[rule.threat]]
80framework = "MITRE ATT&CK"
81
82[[rule.threat.technique]]
83id = "T1082"
84name = "System Information Discovery"
85reference = "https://attack.mitre.org/techniques/T1082/"
86
87[rule.threat.tactic]
88id = "TA0007"
89name = "Discovery"
90reference = "https://attack.mitre.org/tactics/TA0007/"