Kernel Load or Unload via Kexec Detected

  1[metadata]
  2creation_date = "2023/06/09"
  3integration = ["endpoint", "auditd_manager", "crowdstrike", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5min_stack_version = "8.13.0"
  6min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
  7updated_date = "2025/01/15"
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12This detection rule identifies the usage of kexec, helping to uncover unauthorized kernel replacements and potential
 13compromise of the system's integrity. Kexec is a Linux feature that enables the loading and execution of a different
 14kernel without going through the typical boot process. Malicious actors can abuse kexec to bypass security measures,
 15escalate privileges, establish persistence or hide their activities by loading a malicious kernel, enabling them to
 16tamper with the system's trusted state, allowing e.g. a VM Escape.
 17"""
 18from = "now-9m"
 19index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"]
 20language = "eql"
 21license = "Elastic License v2"
 22name = "Kernel Load or Unload via Kexec Detected"
 23references = [
 24    "https://www.crowdstrike.com/blog/venom-vulnerability-details/",
 25    "https://www.makeuseof.com/what-is-venom-vulnerability/",
 26    "https://madaidans-insecurities.github.io/guides/linux-hardening.html",
 27]
 28risk_score = 47
 29rule_id = "4d4c35f4-414e-4d0c-bb7e-6db7c80a6957"
 30setup = """## Setup
 31
 32This rule requires data coming in from Elastic Defend.
 33
 34### Elastic Defend Integration Setup
 35Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
 36
 37#### Prerequisite Requirements:
 38- Fleet is required for Elastic Defend.
 39- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 40
 41#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
 42- Go to the Kibana home page and click "Add integrations".
 43- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
 44- Click "Add Elastic Defend".
 45- Configure the integration name and optionally add a description.
 46- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
 47- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
 48- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
 49- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
 50For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
 51- Click "Save and Continue".
 52- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 53For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 54"""
 55severity = "medium"
 56tags = [
 57    "Domain: Endpoint",
 58    "OS: Linux",
 59    "Use Case: Threat Detection",
 60    "Tactic: Persistence",
 61    "Tactic: Privilege Escalation",
 62    "Tactic: Defense Evasion",
 63    "Data Source: Elastic Defend",
 64    "Data Source: Elastic Endgame",
 65    "Data Source: Auditd Manager",
 66    "Data Source: Crowdstrike",
 67    "Data Source: SentinelOne",
 68    "Resources: Investigation Guide",
 69]
 70timestamp_override = "event.ingested"
 71type = "eql"
 72query = '''
 73process where host.os.type == "linux" and event.type == "start" and
 74  event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and
 75  process.name == "kexec" and process.args in ("--exec", "-e", "--load", "-l", "--unload", "-u") and
 76  not process.parent.name in ("kdumpctl", "unload.sh")
 77'''
 78note = """## Triage and analysis
 79
 80> **Disclaimer**:
 81> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 82
 83### Investigating Kernel Load or Unload via Kexec Detected
 84
 85Kexec is a Linux feature allowing a new kernel to load without rebooting, streamlining updates and recovery. However, attackers can exploit kexec to bypass security, escalate privileges, or hide activities by loading malicious kernels. The detection rule identifies suspicious kexec usage by monitoring process actions and arguments, excluding benign parent processes, to flag potential threats.
 86
 87### Possible investigation steps
 88
 89- Review the process details to confirm the presence of the kexec command with suspicious arguments such as "--exec", "-e", "--load", "-l", "--unload", or "-u".
 90- Investigate the parent process of the kexec command to ensure it is not a benign process like "kdumpctl" or "unload.sh", which are excluded from the detection rule.
 91- Check the user account associated with the kexec process to determine if it has the necessary privileges and if the activity aligns with their typical behavior.
 92- Analyze recent system logs and security events for any signs of privilege escalation or unauthorized kernel modifications around the time the kexec command was executed.
 93- Examine the system for any signs of persistence mechanisms or other indicators of compromise that may suggest a broader attack campaign.
 94- Correlate this event with other alerts or anomalies in the environment to assess if this is part of a larger attack pattern or isolated incident.
 95
 96### False positive analysis
 97
 98- Kdump operations may trigger false positives as kdumpctl is a benign parent process for kexec. Ensure kdumpctl is included in the exclusion list to prevent unnecessary alerts.
 99- Custom scripts for kernel unloading, such as unload.sh, can cause false positives. Verify these scripts are legitimate and add them to the exclusion list if they are frequently used in your environment.
100- Routine administrative tasks involving kernel updates or testing may involve kexec. Confirm these activities are authorized and consider excluding specific administrative accounts or processes from detection.
101- Automated system recovery processes that utilize kexec might be flagged. Identify these processes and exclude them if they are part of a known and secure recovery mechanism.
102- Security tools or monitoring solutions that use kexec for legitimate purposes should be reviewed and excluded to avoid false alerts, ensuring they are recognized as trusted applications.
103
104### Response and remediation
105
106- Immediately isolate the affected system from the network to prevent further unauthorized access or potential lateral movement by the attacker.
107- Terminate any suspicious kexec processes identified by the detection rule to halt any ongoing malicious kernel loading activities.
108- Conduct a thorough review of system logs and process histories to identify any unauthorized kernel loads or modifications, and revert to a known good state if necessary.
109- Restore the system from a clean backup taken before the suspicious activity was detected to ensure system integrity and remove any potential backdoors or malicious kernels.
110- Update and patch the system to the latest security standards to mitigate any vulnerabilities that could be exploited by similar attacks in the future.
111- Implement strict access controls and monitoring on systems with kexec capabilities to prevent unauthorized usage and ensure only trusted personnel can perform kernel operations.
112- Escalate the incident to the security operations center (SOC) or relevant incident response team for further investigation and to assess the potential impact on other systems within the network."""
113
114[[rule.threat]]
115framework = "MITRE ATT&CK"
116
117[[rule.threat.technique]]
118id = "T1611"
119name = "Escape to Host"
120reference = "https://attack.mitre.org/techniques/T1611/"
121
122[rule.threat.tactic]
123id = "TA0004"
124name = "Privilege Escalation"
125reference = "https://attack.mitre.org/tactics/TA0004/"
126
127[[rule.threat]]
128framework = "MITRE ATT&CK"
129
130[[rule.threat.technique]]
131id = "T1547"
132name = "Boot or Logon Autostart Execution"
133reference = "https://attack.mitre.org/techniques/T1547/"
134
135[[rule.threat.technique.subtechnique]]
136id = "T1547.006"
137name = "Kernel Modules and Extensions"
138reference = "https://attack.mitre.org/techniques/T1547/006/"
139
140[rule.threat.tactic]
141id = "TA0003"
142name = "Persistence"
143reference = "https://attack.mitre.org/tactics/TA0003/"
144
145[[rule.threat]]
146framework = "MITRE ATT&CK"
147
148[[rule.threat.technique]]
149id = "T1601"
150name = "Modify System Image"
151reference = "https://attack.mitre.org/techniques/T1601/"
152
153[[rule.threat.technique.subtechnique]]
154id = "T1601.001"
155name = "Patch System Image"
156reference = "https://attack.mitre.org/techniques/T1601/001/"
157
158[rule.threat.tactic]
159id = "TA0005"
160name = "Defense Evasion"
161reference = "https://attack.mitre.org/tactics/TA0005/"