Systemd Loading a Linux Kernel Module Using insmod
Detects the systemd process running commands that would load a Linux Kernel Modules. Part of the RedCanary 2024 Threat Detection Report.
Sigma rule (View on GitHub)
1title: Systemd Loading a Linux Kernel Module Using insmod
2id: 6ec5eab7-03aa-4a6b-8562-012f3ddd2c64
3status: experimental
4description: |
5 Detects the systemd process running commands that would load a Linux Kernel Modules. Part
6 of the RedCanary 2024 Threat Detection Report.
7references:
8 - https://redcanary.com/threat-detection-report/techniques/kernel-modules-and-extensions/
9author: RedCanary, Sigma formatting by Micah Babinski
10date: 2024/03/21
11tags:
12 - attack.persistence
13 - attack.privilege_escalation
14 - attack.t1547
15 - attack.t1547.006
16logsource:
17 product: linux
18 category: process_creation
19detection:
20 selection:
21 ParentImage|endswith: '/systemd'
22 Image|endswith: '/insmod'
23 condition: selection
24falsepositives:
25 - Unknown
26level: low```
References
-
Kernel modules and extensions offer adversaries a reliable means of establishing persistence on Linux systems.
Read More
Related rules
- Non-depmod Process Modifying modules.dep
- Shells Modifying Files in Known Linux Kernel Modules Directories
- Systemd Loading a Linux Kernel Module Using modprobe
- PowerShell Startup Folder Persistence
- AppInit DLL Installation