Tainted Kernel Module Load

  1[metadata]
  2creation_date = "2023/10/23"
  3integration = ["system"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10This rule monitors the syslog log file for messages related to instances of a tainted kernel module load. Rootkits often
 11leverage kernel modules as their main defense evasion technique. Detecting tainted kernel module loads is crucial for
 12ensuring system security and integrity, as malicious or unauthorized modules can compromise the kernel and lead to
 13system vulnerabilities or unauthorized access.
 14"""
 15from = "now-9m"
 16index = ["logs-system.syslog-*"]
 17language = "kuery"
 18license = "Elastic License v2"
 19name = "Tainted Kernel Module Load"
 20risk_score = 21
 21rule_id = "05cad2fb-200c-407f-b472-02ea8c9e5e4a"
 22setup = """## Setup
 23
 24This rule requires data coming in from one of the following integrations:
 25- Filebeat
 26
 27### Filebeat Setup
 28Filebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing.
 29
 30#### The following steps should be executed in order to add the Filebeat for the Linux System:
 31- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.
 32- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html).
 33- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html).
 34- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html).
 35- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html).
 36- For complete Setup and Run Filebeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).
 37
 38#### Rule Specific Setup Note
 39- This rule requires the Filebeat System Module to be enabled.
 40- The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions.
 41- To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html).
 42"""
 43severity = "low"
 44tags = [
 45    "Domain: Endpoint",
 46    "OS: Linux",
 47    "Use Case: Threat Detection",
 48    "Tactic: Persistence",
 49    "Tactic: Defense Evasion",
 50    "Resources: Investigation Guide",
 51]
 52timestamp_override = "event.ingested"
 53type = "query"
 54
 55query = '''
 56host.os.type:linux and event.dataset:"system.syslog" and process.name:kernel and
 57message:"module verification failed: signature and/or required key missing - tainting kernel"
 58'''
 59note = """## Triage and analysis
 60
 61> **Disclaimer**:
 62> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 63
 64### Investigating Tainted Kernel Module Load
 65
 66Kernel modules extend the functionality of the Linux kernel, allowing dynamic loading of code. While beneficial, they can be exploited by adversaries to introduce malicious code, bypassing security measures. Attackers may load unsigned or improperly signed modules, leading to a "tainted" kernel state. The detection rule identifies such events by monitoring syslog for specific error messages, signaling potential unauthorized module loads, thus aiding in early threat detection and system integrity maintenance.
 67
 68### Possible investigation steps
 69
 70- Review the syslog entries around the time of the alert to gather additional context and identify any other suspicious activities or related events.
 71- Investigate the specific kernel module mentioned in the syslog message to determine its origin, legitimacy, and whether it is expected on the system.
 72- Check the system for any recent changes or installations that could have introduced the unsigned or improperly signed module, including software updates or new applications.
 73- Analyze the system for signs of compromise, such as unexpected network connections, unusual process activity, or unauthorized user accounts, which may indicate a broader security incident.
 74- Consult with system administrators or relevant personnel to verify if the module load was authorized or part of a legitimate operation, and document any findings or justifications provided.
 75
 76### False positive analysis
 77
 78- Custom kernel modules: Organizations often use custom or proprietary kernel modules that may not be signed. These can trigger false positives. To manage this, maintain a list of known, trusted custom modules and create exceptions for them in the monitoring system.
 79- Outdated or unsupported hardware drivers: Some older hardware drivers may not have signed modules, leading to false positives. Regularly update drivers and, if necessary, exclude specific drivers that are known to be safe but unsigned.
 80- Development and testing environments: In environments where kernel module development occurs, unsigned modules may be loaded frequently. Implement separate monitoring rules or exceptions for these environments to avoid unnecessary alerts.
 81- Vendor-provided modules: Certain vendors may provide modules that are not signed. Verify the legitimacy of these modules with the vendor and consider excluding them if they are confirmed to be safe.
 82- Temporary testing modules: During troubleshooting or testing, temporary modules might be loaded without proper signing. Ensure these are removed after testing and consider temporary exceptions during the testing phase.
 83
 84### Response and remediation
 85
 86- Immediately isolate the affected system from the network to prevent potential lateral movement by the attacker.
 87- Verify the integrity of the kernel and loaded modules by comparing them against known good versions or using a trusted baseline.
 88- Unload the suspicious kernel module if possible, and replace it with a verified, signed version to restore system integrity.
 89- Conduct a thorough forensic analysis of the affected system to identify any additional signs of compromise or persistence mechanisms.
 90- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if other systems are affected.
 91- Implement enhanced monitoring and logging for kernel module loads and other critical system activities to detect similar threats in the future.
 92- Review and update system and network access controls to ensure only authorized personnel can load kernel modules, reducing the risk of unauthorized changes."""
 93
 94
 95[[rule.threat]]
 96framework = "MITRE ATT&CK"
 97[[rule.threat.technique]]
 98id = "T1547"
 99name = "Boot or Logon Autostart Execution"
100reference = "https://attack.mitre.org/techniques/T1547/"
101[[rule.threat.technique.subtechnique]]
102id = "T1547.006"
103name = "Kernel Modules and Extensions"
104reference = "https://attack.mitre.org/techniques/T1547/006/"
105
106
107
108[rule.threat.tactic]
109id = "TA0003"
110name = "Persistence"
111reference = "https://attack.mitre.org/tactics/TA0003/"
112[[rule.threat]]
113framework = "MITRE ATT&CK"
114[[rule.threat.technique]]
115id = "T1014"
116name = "Rootkit"
117reference = "https://attack.mitre.org/techniques/T1014/"
118
119
120[rule.threat.tactic]
121id = "TA0005"
122name = "Defense Evasion"
123reference = "https://attack.mitre.org/tactics/TA0005/"