Shells Modifying Files in Known Linux Kernel Modules Directories
Detects configuration files being written to specific directories that are searched when looking for loadable Linux Kernel Modules (LKM). Part of the RedCanary 2024 Threat Detection Report.
Sigma rule (View on GitHub)
1title: Shells Modifying Files in Known Linux Kernel Modules Directories
2id: 173fa93c-88ce-4d3f-89de-cfc849a94821
3status: experimental
4description: |
5 Detects configuration files being written to specific directories that are searched when
6 looking for loadable Linux Kernel Modules (LKM). Part of the RedCanary 2024 Threat Detection
7 Report.
8references:
9 - https://redcanary.com/threat-detection-report/techniques/kernel-modules-and-extensions/
10author: RedCanary, Sigma formatting by Micah Babinski
11date: 2024/03/21
12tags:
13 - attack.persistence
14 - attack.privilege_escalation
15 - attack.t1547
16 - attack.t1547.006
17logsource:
18 product: linux
19 category: file_event
20detection:
21 selection:
22 Image|endswith:
23 - '/bash'
24 - '/sh'
25 - '/dash'
26 - '/zsh'
27 TargetFilename|contains:
28 - '/lib/modules/*/'
29 - '/etc/modules-load.d/'
30 - '/lib/modules-load.d/'
31 - '/usr/lib/modules-load.d/'
32 - '/usr/local/lib/modules-load.d/'
33 condition: selection
34falsepositives:
35 - Unknown
36level: low```
References
-
Kernel modules and extensions offer adversaries a reliable means of establishing persistence on Linux systems.
Read More
Related rules
- Non-depmod Process Modifying modules.dep
- Systemd Loading a Linux Kernel Module Using insmod
- Systemd Loading a Linux Kernel Module Using modprobe
- PowerShell Startup Folder Persistence
- Loading of Kernel Module via Insmod