Kernel Seeking Activity

  1[metadata]
  2creation_date = "2025/01/07"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2025/02/04"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10This rule detects kernel seeking activity through several built-in Linux utilities. Attackers may use these utilities
 11to search the Linux kernel for available symbols, functions, and other information that can be used to exploit the
 12kernel.
 13"""
 14from = "now-9m"
 15index = ["logs-endpoint.events.process*"]
 16language = "eql"
 17license = "Elastic License v2"
 18name = "Kernel Seeking Activity"
 19references = ["https://www.elastic.co/security-labs/declawing-pumakit"]
 20risk_score = 21
 21rule_id = "3c9f7901-01d8-465d-8dc0-5d46671035fa"
 22setup = """## Setup
 23
 24This rule requires data coming in from Elastic Defend.
 25
 26### Elastic Defend Integration Setup
 27Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
 28
 29#### Prerequisite Requirements:
 30- Fleet is required for Elastic Defend.
 31- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 32
 33#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
 34- Go to the Kibana home page and click "Add integrations".
 35- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
 36- Click "Add Elastic Defend".
 37- Configure the integration name and optionally add a description.
 38- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
 39- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
 40- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
 41- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
 42For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
 43- Click "Save and Continue".
 44- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 45For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 46"""
 47severity = "low"
 48tags = [
 49    "Domain: Endpoint",
 50    "OS: Linux",
 51    "Use Case: Threat Detection",
 52    "Tactic: Discovery",
 53    "Tactic: Defense Evasion",
 54    "Data Source: Elastic Defend",
 55    "Resources: Investigation Guide",
 56]
 57timestamp_override = "event.ingested"
 58type = "eql"
 59query = '''
 60process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
 61(process.parent.args like "/boot/*" or process.args like "/boot/*") and (
 62  (process.name == "tail" and (process.args like "-c*" or process.args == "--bytes")) or
 63  (process.name == "cmp" and process.args == "-i") or
 64  (process.name in ("hexdump", "xxd") and process.args == "-s") or
 65  (process.name == "dd" and process.args like "seek*")
 66)
 67'''
 68note = """## Triage and analysis
 69
 70> **Disclaimer**:
 71> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 72
 73### Investigating Kernel Seeking Activity
 74
 75Kernel seeking involves probing the Linux kernel for symbols and functions, often using utilities like `tail`, `cmp`, `hexdump`, `xxd`, and `dd`. Adversaries exploit this to discover vulnerabilities for kernel exploitation. The detection rule identifies suspicious execution patterns of these utilities, particularly when accessing kernel-related paths, signaling potential malicious reconnaissance or exploitation attempts.
 76
 77### Possible investigation steps
 78
 79- Review the process execution details to confirm the use of utilities like `tail`, `cmp`, `hexdump`, `xxd`, or `dd` with the specified arguments, focusing on the `process.name` and `process.args` fields.
 80- Examine the `process.parent.args` and `process.args` fields to identify the specific kernel-related paths accessed, such as those under `/boot/*`, to understand the context of the access.
 81- Investigate the parent process of the suspicious activity by analyzing the `process.parent` field to determine if it was initiated by a legitimate or potentially malicious process.
 82- Check the timeline of events around the alert to identify any preceding or subsequent suspicious activities that might indicate a broader attack pattern.
 83- Correlate the alert with other security events or logs from the same host to assess if there are additional indicators of compromise or related malicious activities.
 84- Evaluate the user account associated with the process execution to determine if it aligns with expected behavior or if it might be compromised.
 85
 86### False positive analysis
 87
 88- System administrators or automated scripts may use utilities like `tail`, `cmp`, `hexdump`, `xxd`, and `dd` for legitimate maintenance tasks involving kernel files. To mitigate this, identify and whitelist specific scripts or processes that are known to perform these actions regularly.
 89- Backup or recovery operations might involve accessing kernel-related paths with these utilities. Exclude these operations by defining exceptions for known backup tools or processes that interact with the `/boot` directory.
 90- Developers working on kernel modules or custom kernel builds may trigger this rule during their normal workflow. Consider excluding specific user accounts or development environments from this rule to prevent false positives.
 91- Security tools or monitoring solutions that perform regular checks on kernel files could be mistakenly flagged. Review and whitelist these tools to ensure they are not incorrectly identified as threats.
 92
 93### Response and remediation
 94
 95- Isolate the affected system from the network to prevent further unauthorized access or data exfiltration.
 96- Terminate any suspicious processes identified by the detection rule, particularly those involving the utilities `tail`, `cmp`, `hexdump`, `xxd`, and `dd` accessing kernel paths.
 97- Conduct a thorough review of system logs and process execution history to identify any additional suspicious activities or related indicators of compromise.
 98- Restore the system from a known good backup if any unauthorized modifications to the kernel or system files are detected.
 99- Update the Linux kernel and all related packages to the latest versions to patch any known vulnerabilities that could be exploited.
100- Implement enhanced monitoring and alerting for similar activities, focusing on the execution of the specified utilities with kernel-related arguments.
101- Escalate the incident to the security operations team for further investigation and to determine if additional systems may be affected."""
102
103[[rule.threat]]
104framework = "MITRE ATT&CK"
105
106[[rule.threat.technique]]
107id = "T1082"
108name = "System Information Discovery"
109reference = "https://attack.mitre.org/techniques/T1082/"
110
111[rule.threat.tactic]
112id = "TA0007"
113name = "Discovery"
114reference = "https://attack.mitre.org/tactics/TA0007/"
115
116[[rule.threat]]
117framework = "MITRE ATT&CK"
118
119[[rule.threat.technique]]
120id = "T1014"
121name = "Rootkit"
122reference = "https://attack.mitre.org/techniques/T1014/"
123
124[rule.threat.tactic]
125id = "TA0005"
126name = "Defense Evasion"
127reference = "https://attack.mitre.org/tactics/TA0005/"