Kernel Object File Creation
This rule detects the creation of a Linux kernel object file (.ko) on a system. Threat actors may leverage Linux kernel object files to load a rootkit or other type of malware on a system providing them with complete control and the ability to hide from security products.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/12/19"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2025/01/15"
6
7[rule]
8author = ["Elastic"]
9description = """
10This rule detects the creation of a Linux kernel object file (.ko) on a system. Threat actors may leverage Linux kernel
11object files to load a rootkit or other type of malware on a system providing them with complete control and the ability
12to hide from security products.
13"""
14from = "now-9m"
15index = ["logs-endpoint.events.file-*"]
16language = "kuery"
17license = "Elastic License v2"
18name = "Kernel Object File Creation"
19risk_score = 21
20rule_id = "1965eab8-d17f-4b21-8c48-ad5ff133695d"
21setup = """## Setup
22
23This rule requires data coming in from Elastic Defend.
24
25### Elastic Defend Integration Setup
26Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
27
28#### Prerequisite Requirements:
29- Fleet is required for Elastic Defend.
30- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
31
32#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
33- Go to the Kibana home page and click "Add integrations".
34- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
35- Click "Add Elastic Defend".
36- Configure the integration name and optionally add a description.
37- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
38- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
39- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
40- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
41For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
42- Click "Save and Continue".
43- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
44For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
45"""
46severity = "low"
47tags = [
48 "Domain: Endpoint",
49 "OS: Linux",
50 "Use Case: Threat Detection",
51 "Tactic: Persistence",
52 "Tactic: Defense Evasion",
53 "Data Source: Elastic Defend",
54 "Resources: Investigation Guide",
55]
56timestamp_override = "event.ingested"
57type = "new_terms"
58query = '''
59event.category:file and host.os.type:linux and event.type:creation and file.extension:ko and not (
60 file.path:/var/tmp/mkinitramfs_* or process.executable:/snap/* or process.name:cpio
61)
62'''
63note = """## Triage and analysis
64
65> **Disclaimer**:
66> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
67
68### Investigating Kernel Object File Creation
69
70Kernel object files (.ko) are loadable modules that extend the functionality of the Linux kernel, often used for adding drivers or system features. Adversaries exploit this by loading malicious modules, such as rootkits, to gain control and evade detection. The detection rule identifies suspicious .ko file creation, excluding benign paths, to flag potential threats while minimizing false positives.
71
72### Possible investigation steps
73
74- Review the file path of the created .ko file to determine if it is located in a suspicious or unusual directory that is not excluded by the rule, such as /var/tmp or /usr/local.
75- Examine the process that created the .ko file by checking the process.executable and process.name fields to identify if it is a known legitimate process or potentially malicious.
76- Investigate the parent process of the process that created the .ko file to understand the context of how the file was created and if it was initiated by a legitimate user action or a script.
77- Check for any recent system changes or anomalies around the time of the .ko file creation, such as new user accounts, changes in system configurations, or other suspicious file activities.
78- Look for any associated network activity from the host around the time of the .ko file creation to identify potential command and control communications or data exfiltration attempts.
79- Correlate the alert with other security events or logs from the same host to identify any patterns or additional indicators of compromise that may suggest a broader attack campaign.
80
81### False positive analysis
82
83- Kernel updates and system maintenance activities can generate .ko files in legitimate scenarios. Users should monitor for these activities and consider excluding paths related to official update processes.
84- Custom kernel module development by developers or system administrators may trigger this rule. Establish a process to whitelist known development environments or specific user accounts involved in module creation.
85- Automated system recovery tools, such as those using mkinitramfs, may create .ko files. Ensure these paths are excluded as indicated in the rule to prevent unnecessary alerts.
86- Snap package installations might involve .ko file creation. Exclude the /snap/ directory to avoid false positives from legitimate package installations.
87- Backup and restoration processes using tools like cpio can lead to .ko file creation. Verify these processes and exclude them if they are part of routine system operations.
88
89### Response and remediation
90
91- Isolate the affected system from the network to prevent further spread or communication with potential command and control servers.
92- Terminate any suspicious processes associated with the creation of the .ko file, especially those not originating from known benign paths.
93- Remove the suspicious .ko file from the system to prevent it from being loaded into the kernel.
94- Conduct a thorough scan of the system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malicious components.
95- Review system logs and audit trails to identify any unauthorized access or changes made around the time of the .ko file creation.
96- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if the threat is part of a larger attack campaign.
97- Implement additional monitoring and alerting for similar activities, ensuring that any future attempts to create or load unauthorized .ko files are promptly detected and addressed."""
98
99[[rule.threat]]
100framework = "MITRE ATT&CK"
101
102[[rule.threat.technique]]
103id = "T1547"
104name = "Boot or Logon Autostart Execution"
105reference = "https://attack.mitre.org/techniques/T1547/"
106
107[[rule.threat.technique.subtechnique]]
108id = "T1547.006"
109name = "Kernel Modules and Extensions"
110reference = "https://attack.mitre.org/techniques/T1547/006/"
111
112[rule.threat.tactic]
113id = "TA0003"
114name = "Persistence"
115reference = "https://attack.mitre.org/tactics/TA0003/"
116
117[[rule.threat]]
118framework = "MITRE ATT&CK"
119
120[[rule.threat.technique]]
121id = "T1014"
122name = "Rootkit"
123reference = "https://attack.mitre.org/techniques/T1014/"
124
125[rule.threat.tactic]
126id = "TA0005"
127name = "Defense Evasion"
128reference = "https://attack.mitre.org/tactics/TA0005/"
129
130[rule.new_terms]
131field = "new_terms_fields"
132value = ["process.name", "file.name"]
133
134[[rule.new_terms.history_window_start]]
135field = "history_window_start"
136value = "now-10d"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Kernel Object File Creation
Kernel object files (.ko) are loadable modules that extend the functionality of the Linux kernel, often used for adding drivers or system features. Adversaries exploit this by loading malicious modules, such as rootkits, to gain control and evade detection. The detection rule identifies suspicious .ko file creation, excluding benign paths, to flag potential threats while minimizing false positives.
Possible investigation steps
- Review the file path of the created .ko file to determine if it is located in a suspicious or unusual directory that is not excluded by the rule, such as /var/tmp or /usr/local.
- Examine the process that created the .ko file by checking the process.executable and process.name fields to identify if it is a known legitimate process or potentially malicious.
- Investigate the parent process of the process that created the .ko file to understand the context of how the file was created and if it was initiated by a legitimate user action or a script.
- Check for any recent system changes or anomalies around the time of the .ko file creation, such as new user accounts, changes in system configurations, or other suspicious file activities.
- Look for any associated network activity from the host around the time of the .ko file creation to identify potential command and control communications or data exfiltration attempts.
- Correlate the alert with other security events or logs from the same host to identify any patterns or additional indicators of compromise that may suggest a broader attack campaign.
False positive analysis
- Kernel updates and system maintenance activities can generate .ko files in legitimate scenarios. Users should monitor for these activities and consider excluding paths related to official update processes.
- Custom kernel module development by developers or system administrators may trigger this rule. Establish a process to whitelist known development environments or specific user accounts involved in module creation.
- Automated system recovery tools, such as those using mkinitramfs, may create .ko files. Ensure these paths are excluded as indicated in the rule to prevent unnecessary alerts.
- Snap package installations might involve .ko file creation. Exclude the /snap/ directory to avoid false positives from legitimate package installations.
- Backup and restoration processes using tools like cpio can lead to .ko file creation. Verify these processes and exclude them if they are part of routine system operations.
Response and remediation
- Isolate the affected system from the network to prevent further spread or communication with potential command and control servers.
- Terminate any suspicious processes associated with the creation of the .ko file, especially those not originating from known benign paths.
- Remove the suspicious .ko file from the system to prevent it from being loaded into the kernel.
- Conduct a thorough scan of the system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malicious components.
- Review system logs and audit trails to identify any unauthorized access or changes made around the time of the .ko file creation.
- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if the threat is part of a larger attack campaign.
- Implement additional monitoring and alerting for similar activities, ensuring that any future attempts to create or load unauthorized .ko files are promptly detected and addressed.
Related rules
- APT Package Manager Configuration File Creation
- DNF Package Manager Plugin File Creation
- Directory Creation in /bin directory
- Dynamic Linker (ld.so) Creation
- Dynamic Linker Creation or Modification