Shells Modifying Files in Known Linux Kernel Modules Directories

Detects configuration files being written to specific directories that are searched when looking for loadable Linux Kernel Modules (LKM). Part of the RedCanary 2024 Threat Detection Report.

Sigma rule (View on GitHub)

 1title: Shells Modifying Files in Known Linux Kernel Modules Directories
 2id: 173fa93c-88ce-4d3f-89de-cfc849a94821
 3status: experimental
 4description: |
 5    Detects configuration files being written to specific directories that are searched when 
 6    looking for loadable Linux Kernel Modules (LKM). Part of the RedCanary 2024 Threat Detection 
 7    Report.    
 8references:
 9    - https://redcanary.com/threat-detection-report/techniques/kernel-modules-and-extensions/
10author: RedCanary, Sigma formatting by Micah Babinski
11date: 2024/03/21
12tags:
13    - attack.persistence
14    - attack.privilege_escalation
15    - attack.t1547
16    - attack.t1547.006
17logsource:
18    product: linux
19    category: file_event
20detection:
21    selection:
22        Image|endswith:
23            - '/bash'
24            - '/sh'
25            - '/dash'
26            - '/zsh'
27        TargetFilename|contains:
28            - '/lib/modules/*/'
29            - '/etc/modules-load.d/'
30            - '/lib/modules-load.d/'
31            - '/usr/lib/modules-load.d/'
32            - '/usr/local/lib/modules-load.d/'
33    condition: selection
34falsepositives:
35    - Unknown
36level: low```

References

Related rules

to-top