Loadable Kernel Module Configuration File Creation
This rule detects the creation of Loadable Kernel Module (LKM) configuration files. Attackers may create or modify these files to allow their LKMs to be loaded upon reboot, ensuring persistence on a compromised system.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/12/17"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2025/01/15"
6
7[rule]
8author = ["Elastic"]
9description = """
10This rule detects the creation of Loadable Kernel Module (LKM) configuration files. Attackers may create or modify these
11files to allow their LKMs to be loaded upon reboot, ensuring persistence on a compromised system.
12"""
13from = "now-9m"
14index = ["logs-endpoint.events.file*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Loadable Kernel Module Configuration File Creation"
18risk_score = 21
19rule_id = "6e2355cc-c60a-4d92-a80c-e54a45ad2400"
20severity = "low"
21tags = [
22 "Domain: Endpoint",
23 "OS: Linux",
24 "Use Case: Threat Detection",
25 "Tactic: Persistence",
26 "Tactic: Defense Evasion",
27 "Data Source: Elastic Defend",
28 "Resources: Investigation Guide",
29]
30timestamp_override = "event.ingested"
31type = "eql"
32query = '''
33file where host.os.type == "linux" and event.action in ("rename", "creation") and process.executable != null and
34file.path like~ (
35 "/etc/modules", "/etc/modprobe.d/*", "/usr/lib/modprobe.d/*", "/etc/modules-load.d/*",
36 "/run/modules-load.d/*", "/usr/local/lib/modules-load.d/*", "/usr/lib/modules-load.d/*"
37) and not (
38 process.executable in (
39 "/bin/dpkg", "/usr/bin/dpkg", "/bin/dockerd", "/usr/bin/dockerd", "/usr/sbin/dockerd", "/bin/microdnf",
40 "/usr/bin/microdnf", "/bin/rpm", "/usr/bin/rpm", "/bin/snapd", "/usr/bin/snapd", "/bin/yum", "/usr/bin/yum",
41 "/bin/dnf", "/usr/bin/dnf", "/bin/podman", "/usr/bin/podman", "/bin/dnf-automatic", "/usr/bin/dnf-automatic",
42 "/bin/pacman", "/usr/bin/pacman", "/usr/bin/dpkg-divert", "/bin/dpkg-divert", "/sbin/apk", "/usr/sbin/apk",
43 "/usr/local/sbin/apk", "/usr/bin/apt", "/usr/sbin/pacman", "/bin/podman", "/usr/bin/podman", "/usr/bin/puppet",
44 "/bin/puppet", "/opt/puppetlabs/puppet/bin/puppet", "/usr/bin/chef-client", "/bin/chef-client",
45 "/bin/autossl_check", "/usr/bin/autossl_check", "/proc/self/exe", "/dev/fd/*", "/usr/bin/pamac-daemon",
46 "/bin/pamac-daemon", "/usr/local/bin/dockerd", "/opt/elasticbeanstalk/bin/platform-engine",
47 "/opt/puppetlabs/puppet/bin/ruby", "/usr/libexec/platform-python", "/opt/imunify360/venv/bin/python3",
48 "/opt/eset/efs/lib/utild", "/usr/sbin/anacron", "/usr/bin/podman", "/kaniko/kaniko-executor", "/usr/bin/prime-select"
49 ) or
50 file.extension in ("swp", "swpx", "swx", "dpkg-remove") or
51 file.Ext.original.extension == "dpkg-new" or
52 process.executable like (
53 "/nix/store/*", "/var/lib/dpkg/info/kmod.postinst", "/tmp/vmis.*", "/snap/*", "/dev/fd/*",
54 "/usr/libexec/platform-python*"
55 ) or
56 process.executable == null or
57 process.name in (
58 "crond", "executor", "puppet", "droplet-agent.postinst", "cf-agent", "schedd", "imunify-notifier", "perl",
59 "jumpcloud-agent", "crio", "dnf_install", "utild"
60 ) or
61 (process.name == "sed" and file.name : "sed*") or
62 (process.name == "perl" and file.name : "e2scrub_all.tmp*")
63)
64'''
65note = """## Triage and analysis
66
67> **Disclaimer**:
68> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
69
70### Investigating Loadable Kernel Module Configuration File Creation
71
72Loadable Kernel Modules (LKMs) are components that can be dynamically loaded into the Linux kernel to extend its functionality without rebooting. Adversaries exploit this by creating or altering LKM configuration files to ensure their malicious modules load at startup, achieving persistence. The detection rule identifies suspicious file creation or renaming activities in key directories, excluding benign processes, to flag potential threats.
73
74### Possible investigation steps
75
76- Review the file path and name to determine if it matches any known or expected LKM configuration files, focusing on paths like /etc/modules, /etc/modprobe.d/*, and others specified in the query.
77- Examine the process executable responsible for the file creation or renaming to identify if it is a known or trusted application, especially if it is not in the list of excluded executables.
78- Check the process name and executable path for any anomalies or signs of masquerading, particularly if they are not in the list of excluded names or paths.
79- Investigate the user account associated with the process to determine if it has legitimate access or if it might be compromised.
80- Correlate the event with other recent system activities to identify any patterns or additional suspicious behavior, such as other file modifications or network connections.
81- Review system logs for any related entries that might provide additional context or evidence of malicious activity.
82- Assess the risk and impact of the detected activity on the system's security posture and determine if further containment or remediation actions are necessary.
83
84### False positive analysis
85
86- System package managers like dpkg, rpm, and yum may trigger false positives when they update or install legitimate kernel modules. To handle this, exclude these processes by adding them to the exception list in the detection rule.
87- Automated system management tools such as Puppet, Chef, and Ansible can create or modify LKM configuration files during routine operations. Exclude these processes by specifying their executables in the exception criteria.
88- Temporary files created by text editors or system processes, such as those with extensions like swp or swx, can be mistaken for suspicious activity. Exclude these file extensions to reduce false positives.
89- Processes running from specific directories like /nix/store or /snap may be part of legitimate software installations. Add these paths to the exclusion list to prevent unnecessary alerts.
90- Scheduled tasks or cron jobs that involve file operations in the monitored directories might be flagged. Identify and exclude these processes by their names or paths to minimize false positives.
91
92### Response and remediation
93
94- Isolate the affected system from the network to prevent further propagation of the malicious loadable kernel module.
95- Terminate any suspicious processes identified in the alert that are associated with the creation or modification of LKM configuration files.
96- Remove or revert any unauthorized changes to LKM configuration files in the specified directories to prevent the malicious module from loading on reboot.
97- Conduct a thorough scan of the system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malicious components.
98- Review system logs and the history of executed commands to identify the initial vector of compromise and any other affected systems.
99- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are compromised.
100- Implement additional monitoring and alerting for similar suspicious activities to enhance detection and response capabilities for future incidents."""
101
102[[rule.threat]]
103framework = "MITRE ATT&CK"
104
105[[rule.threat.technique]]
106id = "T1547"
107name = "Boot or Logon Autostart Execution"
108reference = "https://attack.mitre.org/techniques/T1547/"
109
110[[rule.threat.technique.subtechnique]]
111id = "T1547.006"
112name = "Kernel Modules and Extensions"
113reference = "https://attack.mitre.org/techniques/T1547/006/"
114
115[rule.threat.tactic]
116id = "TA0003"
117name = "Persistence"
118reference = "https://attack.mitre.org/tactics/TA0003/"
119
120[[rule.threat]]
121framework = "MITRE ATT&CK"
122
123[[rule.threat.technique]]
124id = "T1014"
125name = "Rootkit"
126reference = "https://attack.mitre.org/techniques/T1014/"
127
128[rule.threat.tactic]
129id = "TA0005"
130name = "Defense Evasion"
131reference = "https://attack.mitre.org/tactics/TA0005/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Loadable Kernel Module Configuration File Creation
Loadable Kernel Modules (LKMs) are components that can be dynamically loaded into the Linux kernel to extend its functionality without rebooting. Adversaries exploit this by creating or altering LKM configuration files to ensure their malicious modules load at startup, achieving persistence. The detection rule identifies suspicious file creation or renaming activities in key directories, excluding benign processes, to flag potential threats.
Possible investigation steps
- Review the file path and name to determine if it matches any known or expected LKM configuration files, focusing on paths like /etc/modules, /etc/modprobe.d/*, and others specified in the query.
- Examine the process executable responsible for the file creation or renaming to identify if it is a known or trusted application, especially if it is not in the list of excluded executables.
- Check the process name and executable path for any anomalies or signs of masquerading, particularly if they are not in the list of excluded names or paths.
- Investigate the user account associated with the process to determine if it has legitimate access or if it might be compromised.
- Correlate the event with other recent system activities to identify any patterns or additional suspicious behavior, such as other file modifications or network connections.
- Review system logs for any related entries that might provide additional context or evidence of malicious activity.
- Assess the risk and impact of the detected activity on the system's security posture and determine if further containment or remediation actions are necessary.
False positive analysis
- System package managers like dpkg, rpm, and yum may trigger false positives when they update or install legitimate kernel modules. To handle this, exclude these processes by adding them to the exception list in the detection rule.
- Automated system management tools such as Puppet, Chef, and Ansible can create or modify LKM configuration files during routine operations. Exclude these processes by specifying their executables in the exception criteria.
- Temporary files created by text editors or system processes, such as those with extensions like swp or swx, can be mistaken for suspicious activity. Exclude these file extensions to reduce false positives.
- Processes running from specific directories like /nix/store or /snap may be part of legitimate software installations. Add these paths to the exclusion list to prevent unnecessary alerts.
- Scheduled tasks or cron jobs that involve file operations in the monitored directories might be flagged. Identify and exclude these processes by their names or paths to minimize false positives.
Response and remediation
- Isolate the affected system from the network to prevent further propagation of the malicious loadable kernel module.
- Terminate any suspicious processes identified in the alert that are associated with the creation or modification of LKM configuration files.
- Remove or revert any unauthorized changes to LKM configuration files in the specified directories to prevent the malicious module from loading on reboot.
- Conduct a thorough scan of the system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malicious components.
- Review system logs and the history of executed commands to identify the initial vector of compromise and any other affected systems.
- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are compromised.
- Implement additional monitoring and alerting for similar suspicious activities to enhance detection and response capabilities for future incidents.
Related rules
- APT Package Manager Configuration File Creation
- DNF Package Manager Plugin File Creation
- Directory Creation in /bin directory
- Dynamic Linker (ld.so) Creation
- Dynamic Linker Creation or Modification