Initramfs Extraction via CPIO

This rule detects the extraction of an initramfs image using the cpio command on Linux systems. The cpio command is used to create or extract cpio archives. Attackers may extract the initramfs image to modify the contents or add malicious files, which can be leveraged to maintain persistence on the system.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2025/01/16"
  3integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5min_stack_version = "8.13.0"
  6min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
  7updated_date = "2025/01/22"
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12This rule detects the extraction of an initramfs image using the `cpio` command on Linux systems. The
 13`cpio` command is used to create or extract cpio archives. Attackers may extract the initramfs image to
 14modify the contents or add malicious files, which can be leveraged to maintain persistence on the system.
 15"""
 16from = "now-9m"
 17index = [
 18    "logs-endpoint.events.process*",
 19    "endgame-*",
 20    "auditbeat-*",
 21    "logs-auditd_manager.auditd-*",
 22    "logs-crowdstrike.fdr*",
 23    "logs-sentinel_one_cloud_funnel.*"
 24]
 25language = "eql"
 26license = "Elastic License v2"
 27name = "Initramfs Extraction via CPIO"
 28risk_score = 21
 29rule_id = "17b3fcd1-90fb-4f5d-858c-dc1d998fa368"
 30setup = """## Setup
 31This rule requires data coming in from Elastic Defend.
 32### Elastic Defend Integration Setup
 33Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
 34#### Prerequisite Requirements:
 35- Fleet is required for Elastic Defend.
 36- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 37#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
 38- Go to the Kibana home page and click "Add integrations".
 39- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
 40- Click "Add Elastic Defend".
 41- Configure the integration name and optionally add a description.
 42- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
 43- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
 44- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
 45- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
 46For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
 47- Click "Save and Continue".
 48- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 49For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 50"""
 51severity = "low"
 52tags = [
 53    "Domain: Endpoint",
 54    "OS: Linux",
 55    "Use Case: Threat Detection",
 56    "Tactic: Persistence",
 57    "Data Source: Elastic Endgame",
 58    "Data Source: Elastic Defend",
 59    "Data Source: Auditd Manager",
 60    "Data Source: Crowdstrike",
 61    "Data Source: SentinelOne",
 62    "Resources: Investigation Guide",
 63]
 64timestamp_override = "event.ingested"
 65type = "eql"
 66query = '''
 67process where host.os.type == "linux" and event.type == "start" and
 68event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed") and
 69process.name == "cpio" and process.args in ("-H", "--format") and process.args == "newc" and not (
 70  process.parent.name in ("mkinitramfs", "dracut") or
 71  process.parent.executable like~ ("/usr/share/initramfs-tools/*", "/nix/store/*")
 72)
 73'''
 74note = """## Triage and analysis
 75
 76> **Disclaimer**:
 77> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 78
 79### Investigating Initramfs Extraction via CPIO
 80
 81Initramfs is a temporary filesystem used during the Linux boot process, containing essential drivers and scripts. Attackers may exploit the `cpio` command to extract and modify initramfs, embedding malicious files to ensure persistence. The detection rule identifies suspicious `cpio` usage by monitoring process execution patterns, excluding legitimate parent processes, to flag potential threats.
 82
 83### Possible investigation steps
 84
 85- Review the process execution details to confirm the presence of the cpio command with arguments "-H" or "--format" and "newc" to ensure the alert is not a false positive.
 86- Investigate the parent process of the cpio command to determine if it is an unexpected or unauthorized process, as legitimate processes like mkinitramfs or dracut should be excluded.
 87- Check the execution path of the parent process to verify if it matches any known legitimate paths such as "/usr/share/initramfs-tools/*" or "/nix/store/*".
 88- Analyze the timeline of events around the cpio execution to identify any preceding or subsequent suspicious activities that might indicate a broader attack or persistence mechanism.
 89- Examine the system for any unauthorized modifications or additions to the initramfs image that could indicate tampering or the presence of malicious files.
 90- Correlate the alert with other security data sources like Elastic Endgame, Elastic Defend, or Crowdstrike to gather additional context and assess the scope of the potential threat.
 91
 92### False positive analysis
 93
 94- Legitimate system updates or maintenance activities may trigger the rule when tools like mkinitramfs or dracut are used. To handle this, ensure these processes are excluded by verifying that the parent process is mkinitramfs or dracut.
 95- Custom scripts or automation tools that manage initramfs might use cpio in a non-malicious context. Review these scripts and add their parent process names or paths to the exclusion list if they are verified as safe.
 96- Systems using non-standard initramfs management tools located in directories like /usr/share/initramfs-tools or /nix/store may cause false positives. Confirm these tools' legitimacy and update the exclusion paths accordingly.
 97- Development or testing environments where initramfs is frequently modified for legitimate reasons can generate alerts. Consider creating environment-specific exceptions to reduce noise while maintaining security in production systems.
 98
 99### Response and remediation
100
101- Isolate the affected system from the network to prevent further unauthorized access or spread of potential malware.
102- Terminate any suspicious processes related to the `cpio` command that do not have legitimate parent processes, such as `mkinitramfs` or `dracut`.
103- Conduct a thorough review of the extracted initramfs contents to identify and remove any unauthorized or malicious files.
104- Restore the initramfs from a known good backup to ensure system integrity and remove any potential persistence mechanisms.
105- Monitor the system for any further suspicious activity, particularly related to the `cpio` command, to ensure the threat has been fully mitigated.
106- Escalate the incident to the security operations team for further analysis and to determine if additional systems may be affected.
107- Update security policies and procedures to include specific checks for unauthorized `cpio` usage and enhance detection capabilities for similar threats."""
108
109[[rule.threat]]
110framework = "MITRE ATT&CK"
111
112[[rule.threat.technique]]
113id = "T1542"
114name = "Pre-OS Boot"
115reference = "https://attack.mitre.org/techniques/T1542/"
116
117[[rule.threat.technique]]
118id = "T1543"
119name = "Create or Modify System Process"
120reference = "https://attack.mitre.org/techniques/T1543/"
121
122[[rule.threat.technique]]
123id = "T1574"
124name = "Hijack Execution Flow"
125reference = "https://attack.mitre.org/techniques/T1574/"
126
127[rule.threat.tactic]
128id = "TA0003"
129name = "Persistence"
130reference = "https://attack.mitre.org/tactics/TA0003/"

Triage and analysis

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Investigating Initramfs Extraction via CPIO

Initramfs is a temporary filesystem used during the Linux boot process, containing essential drivers and scripts. Attackers may exploit the cpio command to extract and modify initramfs, embedding malicious files to ensure persistence. The detection rule identifies suspicious cpio usage by monitoring process execution patterns, excluding legitimate parent processes, to flag potential threats.

Possible investigation steps

  • Review the process execution details to confirm the presence of the cpio command with arguments "-H" or "--format" and "newc" to ensure the alert is not a false positive.
  • Investigate the parent process of the cpio command to determine if it is an unexpected or unauthorized process, as legitimate processes like mkinitramfs or dracut should be excluded.
  • Check the execution path of the parent process to verify if it matches any known legitimate paths such as "/usr/share/initramfs-tools/" or "/nix/store/".
  • Analyze the timeline of events around the cpio execution to identify any preceding or subsequent suspicious activities that might indicate a broader attack or persistence mechanism.
  • Examine the system for any unauthorized modifications or additions to the initramfs image that could indicate tampering or the presence of malicious files.
  • Correlate the alert with other security data sources like Elastic Endgame, Elastic Defend, or Crowdstrike to gather additional context and assess the scope of the potential threat.

False positive analysis

  • Legitimate system updates or maintenance activities may trigger the rule when tools like mkinitramfs or dracut are used. To handle this, ensure these processes are excluded by verifying that the parent process is mkinitramfs or dracut.
  • Custom scripts or automation tools that manage initramfs might use cpio in a non-malicious context. Review these scripts and add their parent process names or paths to the exclusion list if they are verified as safe.
  • Systems using non-standard initramfs management tools located in directories like /usr/share/initramfs-tools or /nix/store may cause false positives. Confirm these tools' legitimacy and update the exclusion paths accordingly.
  • Development or testing environments where initramfs is frequently modified for legitimate reasons can generate alerts. Consider creating environment-specific exceptions to reduce noise while maintaining security in production systems.

Response and remediation

  • Isolate the affected system from the network to prevent further unauthorized access or spread of potential malware.
  • Terminate any suspicious processes related to the cpio command that do not have legitimate parent processes, such as mkinitramfs or dracut.
  • Conduct a thorough review of the extracted initramfs contents to identify and remove any unauthorized or malicious files.
  • Restore the initramfs from a known good backup to ensure system integrity and remove any potential persistence mechanisms.
  • Monitor the system for any further suspicious activity, particularly related to the cpio command, to ensure the threat has been fully mitigated.
  • Escalate the incident to the security operations team for further analysis and to determine if additional systems may be affected.
  • Update security policies and procedures to include specific checks for unauthorized cpio usage and enhance detection capabilities for similar threats.

Related rules

to-top