Kernel Load or Unload via Kexec Detected

calendar Sep 5, 2023 · Domain: Endpoint OS: Linux Use Case: Threat Detection Tactic: Persistence Tactic: Privilege Escalation Tactic: Defense Evasion Data Source: Elastic Defend  ·
Share on: linkedin copy

This detection rule identifies the usage of kexec, helping to uncover unauthorized kernel replacements and potential compromise of the system's integrity. Kexec is a Linux feature that enables the loading and execution of a different kernel without going through the typical boot process. Malicious actors can abuse kexec to bypass security measures, escalate privileges, establish persistence or hide their activities by loading a malicious kernel, enabling them to tamper with the system's trusted state, allowing e.g. a VM Escape.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2023/06/09"
 3maturity = "production"
 4min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 5min_stack_version = "8.3.0"
 6updated_date = "2023/07/31"
 7integration = ["endpoint"]
 8
 9[rule]
10author = ["Elastic"]
11description = """
12This detection rule identifies the usage of kexec, helping to uncover unauthorized kernel replacements and potential 
13compromise of the system's integrity. Kexec is a Linux feature that enables the loading and execution of a different 
14kernel without going through the typical boot process. Malicious actors can abuse kexec to bypass security measures, 
15escalate privileges, establish persistence or hide their activities by loading a malicious kernel, enabling them to 
16tamper with the system's trusted state, allowing e.g. a VM Escape. 
17"""
18from = "now-9m"
19index = ["logs-endpoint.events.*"]
20language = "eql"
21license = "Elastic License v2"
22name = "Kernel Load or Unload via Kexec Detected"
23references = [
24    "https://www.crowdstrike.com/blog/venom-vulnerability-details/",
25    "https://www.makeuseof.com/what-is-venom-vulnerability/",
26    "https://madaidans-insecurities.github.io/guides/linux-hardening.html"
27]
28risk_score = 47
29rule_id = "4d4c35f4-414e-4d0c-bb7e-6db7c80a6957"
30severity = "medium"
31tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
32timestamp_override = "event.ingested"
33type = "eql"
34
35query = '''
36process where host.os.type == "linux" and event.action == "exec" and process.name == "kexec" and 
37process.args in ("--exec", "-e", "--load", "-l", "--unload", "-u")
38'''
39
40[[rule.threat]]
41framework = "MITRE ATT&CK"
42
43[[rule.threat.technique]]
44id = "T1611"
45name = "Escape to Host"
46reference = "https://attack.mitre.org/techniques/T1611/"
47
48[rule.threat.tactic]
49id = "TA0004"
50name = "Privilege Escalation"
51reference = "https://attack.mitre.org/tactics/TA0004/"
52
53[[rule.threat]]
54framework = "MITRE ATT&CK"
55
56[[rule.threat.technique]]
57id = "T1547"
58name = "Boot or Logon Autostart Execution"
59reference = "https://attack.mitre.org/techniques/T1547/"
60
61[[rule.threat.technique.subtechnique]]
62id = "T1547.006"
63name = "Kernel Modules and Extensions"
64reference = "https://attack.mitre.org/techniques/T1547/006/"
65
66[rule.threat.tactic]
67id = "TA0003"
68name = "Persistence"
69reference = "https://attack.mitre.org/tactics/TA0003/"
70
71[[rule.threat]]
72framework = "MITRE ATT&CK"
73
74[[rule.threat.technique]]
75id = "T1601"
76name = "Modify System Image"
77reference = "https://attack.mitre.org/techniques/T1601/"
78
79[[rule.threat.technique.subtechnique]]
80id = "T1601.001"
81name = "Patch System Image"
82reference = "https://attack.mitre.org/techniques/T1601/001/"
83
84[rule.threat.tactic]
85id = "TA0005"
86name = "Defense Evasion"
87reference = "https://attack.mitre.org/tactics/TA0005/"

References

Related rules

to-top