Initramfs Unpacking via unmkinitramfs

This rule detects the unpacking of an initramfs image using the unmkinitramfs command on Linux systems. The unmkinitramfs command is used to extract the contents of an initramfs image, which is used to boot the system. Attackers may use unmkinitramfs to unpack an initramfs image and modify its contents to include malicious code or backdoors, allowing them to maintain persistence on the system.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2025/01/16"
  3integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5min_stack_version = "8.13.0"
  6min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
  7updated_date = "2025/01/22"
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12This rule detects the unpacking of an initramfs image using the `unmkinitramfs` command on Linux systems. The
 13`unmkinitramfs` command is used to extract the contents of an initramfs image, which is used to boot the
 14system. Attackers may use `unmkinitramfs` to unpack an initramfs image and modify its contents to include
 15malicious code or backdoors, allowing them to maintain persistence on the system.
 16"""
 17from = "now-9m"
 18index = [
 19    "logs-endpoint.events.process*",
 20    "endgame-*",
 21    "auditbeat-*",
 22    "logs-auditd_manager.auditd-*",
 23    "logs-crowdstrike.fdr*",
 24    "logs-sentinel_one_cloud_funnel.*"
 25]
 26language = "eql"
 27license = "Elastic License v2"
 28name = "Initramfs Unpacking via unmkinitramfs"
 29risk_score = 21
 30rule_id = "c5fc788c-7576-4a02-b3d6-d2c016eb85a6"
 31setup = """## Setup
 32This rule requires data coming in from Elastic Defend.
 33### Elastic Defend Integration Setup
 34Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
 35#### Prerequisite Requirements:
 36- Fleet is required for Elastic Defend.
 37- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 38#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
 39- Go to the Kibana home page and click "Add integrations".
 40- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
 41- Click "Add Elastic Defend".
 42- Configure the integration name and optionally add a description.
 43- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
 44- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
 45- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
 46- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
 47For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
 48- Click "Save and Continue".
 49- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 50For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 51"""
 52severity = "low"
 53tags = [
 54    "Domain: Endpoint",
 55    "OS: Linux",
 56    "Use Case: Threat Detection",
 57    "Tactic: Persistence",
 58    "Data Source: Elastic Endgame",
 59    "Data Source: Elastic Defend",
 60    "Data Source: Auditd Manager",
 61    "Data Source: Crowdstrike",
 62    "Data Source: SentinelOne",
 63    "Resources: Investigation Guide",
 64]
 65timestamp_override = "event.ingested"
 66type = "eql"
 67query = '''
 68process where host.os.type == "linux" and event.type == "start" and
 69event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed") and
 70process.name == "unmkinitramfs"
 71'''
 72note = """## Triage and analysis
 73
 74> **Disclaimer**:
 75> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 76
 77### Investigating Initramfs Unpacking via unmkinitramfs
 78
 79Initramfs is a crucial component in Linux boot processes, containing essential drivers and scripts. The `unmkinitramfs` tool extracts its contents, which attackers might exploit to insert malicious code, ensuring persistence. The detection rule identifies the execution of `unmkinitramfs`, flagging potential unauthorized modifications by monitoring process initiation events on Linux systems.
 80
 81### Possible investigation steps
 82
 83- Review the process execution details to confirm the presence of the unmkinitramfs command, focusing on the process.name field to ensure it matches "unmkinitramfs".
 84- Check the user context under which the unmkinitramfs command was executed to determine if it aligns with expected administrative activities or if it was run by an unauthorized user.
 85- Investigate the parent process of the unmkinitramfs execution to understand how the command was initiated and if it was part of a legitimate script or an unexpected process chain.
 86- Examine recent system logs and audit logs for any other suspicious activities or anomalies around the time of the unmkinitramfs execution, such as unauthorized access attempts or changes to critical system files.
 87- Assess the integrity of the initramfs image by comparing it with a known good version, if available, to identify any unauthorized modifications or inclusions of malicious code.
 88
 89### False positive analysis
 90
 91- Routine system maintenance or updates may trigger the rule when legitimate processes unpack initramfs for kernel updates. Users can create exceptions for known maintenance scripts or processes that regularly perform these actions.
 92- Automated backup or recovery solutions might use unmkinitramfs to verify or restore system images. Identify and exclude these processes if they are part of trusted backup operations.
 93- Developers or system administrators testing or customizing initramfs images for legitimate purposes could trigger the rule. Establish a whitelist for specific user accounts or scripts that are authorized to perform these tasks.
 94- Security tools or monitoring solutions that analyze initramfs contents for integrity checks might inadvertently trigger the rule. Ensure these tools are recognized and excluded from detection to prevent unnecessary alerts.
 95
 96### Response and remediation
 97
 98- Immediately isolate the affected system from the network to prevent potential lateral movement or data exfiltration by the attacker.
 99- Terminate any suspicious processes related to `unmkinitramfs` to halt any ongoing malicious activity.
100- Conduct a thorough review of the initramfs image and its contents to identify and remove any unauthorized modifications or malicious code.
101- Restore the initramfs image from a known good backup to ensure system integrity and remove any potential backdoors.
102- Monitor the system for any further attempts to execute `unmkinitramfs` and investigate any such occurrences to determine if they are legitimate or part of an ongoing attack.
103- Escalate the incident to the security operations team for further analysis and to determine if additional systems may be affected.
104- Implement additional logging and monitoring for process execution events on Linux systems to enhance detection capabilities for similar threats in the future."""
105
106[[rule.threat]]
107framework = "MITRE ATT&CK"
108
109[[rule.threat.technique]]
110id = "T1542"
111name = "Pre-OS Boot"
112reference = "https://attack.mitre.org/techniques/T1542/"
113
114[[rule.threat.technique]]
115id = "T1543"
116name = "Create or Modify System Process"
117reference = "https://attack.mitre.org/techniques/T1543/"
118
119[[rule.threat.technique]]
120id = "T1574"
121name = "Hijack Execution Flow"
122reference = "https://attack.mitre.org/techniques/T1574/"
123
124[rule.threat.tactic]
125id = "TA0003"
126name = "Persistence"
127reference = "https://attack.mitre.org/tactics/TA0003/"
128
129[[rule.threat]]
130framework = "MITRE ATT&CK"
131
132[[rule.threat.technique]]
133id = "T1059"
134name = "Command and Scripting Interpreter"
135reference = "https://attack.mitre.org/techniques/T1059/"
136
137[[rule.threat.technique.subtechnique]]
138id = "T1059.004"
139name = "Unix Shell"
140reference = "https://attack.mitre.org/techniques/T1059/004/"
141
142[rule.threat.tactic]
143id = "TA0002"
144name = "Execution"
145reference = "https://attack.mitre.org/tactics/TA0002/"
146
147[[rule.threat]]
148framework = "MITRE ATT&CK"
149
150[rule.threat.tactic]
151id = "TA0005"
152name = "Defense Evasion"
153reference = "https://attack.mitre.org/tactics/TA0005/"

Triage and analysis

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Investigating Initramfs Unpacking via unmkinitramfs

Initramfs is a crucial component in Linux boot processes, containing essential drivers and scripts. The unmkinitramfs tool extracts its contents, which attackers might exploit to insert malicious code, ensuring persistence. The detection rule identifies the execution of unmkinitramfs, flagging potential unauthorized modifications by monitoring process initiation events on Linux systems.

Possible investigation steps

  • Review the process execution details to confirm the presence of the unmkinitramfs command, focusing on the process.name field to ensure it matches "unmkinitramfs".
  • Check the user context under which the unmkinitramfs command was executed to determine if it aligns with expected administrative activities or if it was run by an unauthorized user.
  • Investigate the parent process of the unmkinitramfs execution to understand how the command was initiated and if it was part of a legitimate script or an unexpected process chain.
  • Examine recent system logs and audit logs for any other suspicious activities or anomalies around the time of the unmkinitramfs execution, such as unauthorized access attempts or changes to critical system files.
  • Assess the integrity of the initramfs image by comparing it with a known good version, if available, to identify any unauthorized modifications or inclusions of malicious code.

False positive analysis

  • Routine system maintenance or updates may trigger the rule when legitimate processes unpack initramfs for kernel updates. Users can create exceptions for known maintenance scripts or processes that regularly perform these actions.
  • Automated backup or recovery solutions might use unmkinitramfs to verify or restore system images. Identify and exclude these processes if they are part of trusted backup operations.
  • Developers or system administrators testing or customizing initramfs images for legitimate purposes could trigger the rule. Establish a whitelist for specific user accounts or scripts that are authorized to perform these tasks.
  • Security tools or monitoring solutions that analyze initramfs contents for integrity checks might inadvertently trigger the rule. Ensure these tools are recognized and excluded from detection to prevent unnecessary alerts.

Response and remediation

  • Immediately isolate the affected system from the network to prevent potential lateral movement or data exfiltration by the attacker.
  • Terminate any suspicious processes related to unmkinitramfs to halt any ongoing malicious activity.
  • Conduct a thorough review of the initramfs image and its contents to identify and remove any unauthorized modifications or malicious code.
  • Restore the initramfs image from a known good backup to ensure system integrity and remove any potential backdoors.
  • Monitor the system for any further attempts to execute unmkinitramfs and investigate any such occurrences to determine if they are legitimate or part of an ongoing attack.
  • Escalate the incident to the security operations team for further analysis and to determine if additional systems may be affected.
  • Implement additional logging and monitoring for process execution events on Linux systems to enhance detection capabilities for similar threats in the future.

Related rules

to-top