Non-depmod Process Modifying modules.dep
Detects unusual process modifying the modules.dep file. The modules.dep and modules.dep.bin files should only be modified by the depmod utility. Part of the RedCanary 2024 Threat Detection Report.
Sigma rule (View on GitHub)
1title: Non-depmod Process Modifying modules.dep
2id: c0bbc749-9ed3-483b-b3ac-7c5732a61fda
3status: experimental
4description: |
5 Detects unusual process modifying the modules.dep file. The modules.dep and modules.dep.bin
6 files should only be modified by the depmod utility. Part of the RedCanary 2024 Threat
7 Detection Report.
8references:
9 - https://redcanary.com/threat-detection-report/techniques/kernel-modules-and-extensions/
10author: RedCanary, Sigma formatting by Micah Babinski
11date: 2024/03/21
12tags:
13 - attack.persistence
14 - attack.privilege_escalation
15 - attack.t1547
16 - attack.t1547.006
17logsource:
18 product: linux
19 category: file_event
20detection:
21 selection:
22 TargetFilename|startswith: '/lib/modules/'
23 TargetFilename|endswith:
24 - '/modules.dep'
25 - '/modules.dep.bin'
26 filter:
27 Image|endswith: '/depmod'
28 condition: selection and not filter
29falsepositives:
30 - Unknown
31level: low```
References
-
Kernel modules and extensions offer adversaries a reliable means of establishing persistence on Linux systems.
Read More
Related rules
- Shells Modifying Files in Known Linux Kernel Modules Directories
- Systemd Loading a Linux Kernel Module Using insmod
- Systemd Loading a Linux Kernel Module Using modprobe
- PowerShell Startup Folder Persistence
- Loading of Kernel Module via Insmod