Kernel Driver Load by non-root User
Detects the loading of a Linux kernel module by a non-root user through system calls. Threat actors may leverage Linux kernel modules to load a rootkit on a system providing them with complete control and the ability to hide from security products. As other rules monitor for the addition of Linux kernel modules through system utilities or .ko files, this rule covers the gap that evasive rootkits leverage by monitoring for kernel module additions on the lowest level through auditd_manager.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/01/10"
3integration = ["auditd_manager"]
4maturity = "production"
5updated_date = "2025/01/15"
6
7[rule]
8author = ["Elastic"]
9description = """
10Detects the loading of a Linux kernel module by a non-root user through system calls. Threat actors may leverage Linux
11kernel modules to load a rootkit on a system providing them with complete control and the ability to hide from security
12products. As other rules monitor for the addition of Linux kernel modules through system utilities or .ko files, this
13rule covers the gap that evasive rootkits leverage by monitoring for kernel module additions on the lowest level through
14auditd_manager.
15"""
16from = "now-9m"
17index = ["logs-auditd_manager.auditd-*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Kernel Driver Load by non-root User"
21risk_score = 47
22rule_id = "ba81c182-4287-489d-af4d-8ae834b06040"
23setup = """## Setup
24
25
26This rule requires data coming in from Auditd Manager.
27
28### Auditd Manager Integration Setup
29The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.
30Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.
31
32#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" on a Linux System:
33- Go to the Kibana home page and click “Add integrations”.
34- In the query bar, search for “Auditd Manager” and select the integration to see more details about it.
35- Click “Add Auditd Manager”.
36- Configure the integration name and optionally add a description.
37- Review optional and advanced settings accordingly.
38- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.
39- Click “Save and Continue”.
40- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).
41
42#### Rule Specific Setup Note
43Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.
44However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from.
45- For this detection rule the following additional audit rules are required to be added to the integration:
46 -- "-a always,exit -F arch=b64 -S finit_module -S init_module -S delete_module -F auid!=-1 -k modules"
47 -- "-a always,exit -F arch=b32 -S finit_module -S init_module -S delete_module -F auid!=-1 -k modules"
48"""
49severity = "medium"
50tags = [
51 "Data Source: Auditd Manager",
52 "Domain: Endpoint",
53 "OS: Linux",
54 "Use Case: Threat Detection",
55 "Tactic: Persistence",
56 "Tactic: Defense Evasion",
57 "Resources: Investigation Guide",
58]
59timestamp_override = "event.ingested"
60type = "eql"
61
62query = '''
63driver where host.os.type == "linux" and event.action == "loaded-kernel-module" and
64auditd.data.syscall in ("init_module", "finit_module") and user.id != "0"
65'''
66note = """## Triage and analysis
67
68> **Disclaimer**:
69> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
70
71### Investigating Kernel Driver Load by non-root User
72
73Kernel modules extend the functionality of the Linux kernel, allowing dynamic loading of drivers or features. Typically, only root users can load these modules due to their potential to alter system behavior. Adversaries may exploit this by loading malicious modules, such as rootkits, to gain control and evade detection. The detection rule identifies non-root users attempting to load modules, signaling potential unauthorized activity.
74
75### Possible investigation steps
76
77- Review the alert details to identify the non-root user (user.id) involved in the kernel module loading attempt.
78- Check the system logs and audit logs for any additional context around the time of the event, focusing on the specific system calls (init_module, finit_module) used.
79- Investigate the source and legitimacy of the kernel module being loaded by examining the module's file path and associated metadata.
80- Assess the user's recent activity and permissions to determine if there are any signs of privilege escalation or unauthorized access.
81- Correlate this event with other security alerts or anomalies on the same host to identify potential patterns of malicious behavior.
82- Verify the integrity and security posture of the affected system by running a comprehensive malware and rootkit scan.
83
84### False positive analysis
85
86- Legitimate software or system utilities may occasionally load kernel modules as part of their normal operation. Identify these applications and verify their behavior to ensure they are not malicious.
87- Development environments or testing scenarios might involve non-root users loading kernel modules for legitimate purposes. Consider creating exceptions for these specific users or processes after thorough validation.
88- Some system management tools or scripts executed by non-root users might trigger this rule. Review these tools and, if deemed safe, add them to an exception list to prevent unnecessary alerts.
89- In environments where non-root users are granted specific permissions to load kernel modules, ensure these permissions are documented and monitored. Adjust the rule to exclude these known and authorized activities.
90- Regularly review and update the list of exceptions to ensure that only verified and non-threatening behaviors are excluded, maintaining the integrity of the detection rule.
91
92### Response and remediation
93
94- Immediately isolate the affected system from the network to prevent further unauthorized access or potential lateral movement by the adversary.
95- Terminate any suspicious processes associated with the non-root user attempting to load the kernel module to halt any ongoing malicious activity.
96- Conduct a thorough review of the loaded kernel modules on the affected system to identify and remove any unauthorized or malicious modules.
97- Reset credentials and review permissions for the non-root user involved in the alert to prevent further unauthorized actions.
98- Escalate the incident to the security operations team for a deeper forensic analysis to determine the scope of the compromise and identify any additional affected systems.
99- Implement enhanced monitoring and logging for kernel module loading activities across all systems to detect similar threats in the future.
100- Review and update security policies to ensure that only authorized users have the necessary permissions to load kernel modules, reducing the risk of unauthorized access."""
101
102
103[[rule.threat]]
104framework = "MITRE ATT&CK"
105[[rule.threat.technique]]
106id = "T1547"
107name = "Boot or Logon Autostart Execution"
108reference = "https://attack.mitre.org/techniques/T1547/"
109[[rule.threat.technique.subtechnique]]
110id = "T1547.006"
111name = "Kernel Modules and Extensions"
112reference = "https://attack.mitre.org/techniques/T1547/006/"
113
114
115
116[rule.threat.tactic]
117id = "TA0003"
118name = "Persistence"
119reference = "https://attack.mitre.org/tactics/TA0003/"
120[[rule.threat]]
121framework = "MITRE ATT&CK"
122[[rule.threat.technique]]
123id = "T1014"
124name = "Rootkit"
125reference = "https://attack.mitre.org/techniques/T1014/"
126
127
128[rule.threat.tactic]
129id = "TA0005"
130name = "Defense Evasion"
131reference = "https://attack.mitre.org/tactics/TA0005/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Kernel Driver Load by non-root User
Kernel modules extend the functionality of the Linux kernel, allowing dynamic loading of drivers or features. Typically, only root users can load these modules due to their potential to alter system behavior. Adversaries may exploit this by loading malicious modules, such as rootkits, to gain control and evade detection. The detection rule identifies non-root users attempting to load modules, signaling potential unauthorized activity.
Possible investigation steps
- Review the alert details to identify the non-root user (user.id) involved in the kernel module loading attempt.
- Check the system logs and audit logs for any additional context around the time of the event, focusing on the specific system calls (init_module, finit_module) used.
- Investigate the source and legitimacy of the kernel module being loaded by examining the module's file path and associated metadata.
- Assess the user's recent activity and permissions to determine if there are any signs of privilege escalation or unauthorized access.
- Correlate this event with other security alerts or anomalies on the same host to identify potential patterns of malicious behavior.
- Verify the integrity and security posture of the affected system by running a comprehensive malware and rootkit scan.
False positive analysis
- Legitimate software or system utilities may occasionally load kernel modules as part of their normal operation. Identify these applications and verify their behavior to ensure they are not malicious.
- Development environments or testing scenarios might involve non-root users loading kernel modules for legitimate purposes. Consider creating exceptions for these specific users or processes after thorough validation.
- Some system management tools or scripts executed by non-root users might trigger this rule. Review these tools and, if deemed safe, add them to an exception list to prevent unnecessary alerts.
- In environments where non-root users are granted specific permissions to load kernel modules, ensure these permissions are documented and monitored. Adjust the rule to exclude these known and authorized activities.
- Regularly review and update the list of exceptions to ensure that only verified and non-threatening behaviors are excluded, maintaining the integrity of the detection rule.
Response and remediation
- Immediately isolate the affected system from the network to prevent further unauthorized access or potential lateral movement by the adversary.
- Terminate any suspicious processes associated with the non-root user attempting to load the kernel module to halt any ongoing malicious activity.
- Conduct a thorough review of the loaded kernel modules on the affected system to identify and remove any unauthorized or malicious modules.
- Reset credentials and review permissions for the non-root user involved in the alert to prevent further unauthorized actions.
- Escalate the incident to the security operations team for a deeper forensic analysis to determine the scope of the compromise and identify any additional affected systems.
- Implement enhanced monitoring and logging for kernel module loading activities across all systems to detect similar threats in the future.
- Review and update security policies to ensure that only authorized users have the necessary permissions to load kernel modules, reducing the risk of unauthorized access.
Related rules
- Kernel Driver Load
- Kernel Load or Unload via Kexec Detected
- APT Package Manager Configuration File Creation
- Authentication via Unusual PAM Grantor
- Base16 or Base32 Encoding/Decoding Activity