Systemd Loading a Linux Kernel Module Using modprobe
Detects the systemd process loading a Linux Kernel Modules using modprobe. Part of the RedCanary 2024 Threat Detection Report.
Sigma rule (View on GitHub)
1title: Systemd Loading a Linux Kernel Module Using modprobe
2id: 4d786f58-8222-4047-b635-6432da31bd7c
3status: experimental
4description: |
5 Detects the systemd process loading a Linux Kernel Modules using modprobe. Part of the
6 RedCanary 2024 Threat Detection Report.
7references:
8 - https://redcanary.com/threat-detection-report/techniques/kernel-modules-and-extensions/
9author: RedCanary, Sigma formatting by Micah Babinski
10date: 2024/03/21
11tags:
12 - attack.persistence
13 - attack.privilege_escalation
14 - attack.t1547
15 - attack.t1547.006
16logsource:
17 product: linux
18 category: process_creation
19detection:
20 selection1:
21 ParentImage|endswith: '/systemd'
22 Image|endswith: '/modprobe'
23 CommandLine|contains:
24 - '-a'
25 - '-af'
26 - '-fa'
27 selection2:
28 CommandLine|re: '^.*modprobe.*\s[a-zA-Z].*$' # looks for commands with an argument that does
29 # not begin with '-'
30 condition: all of selection*
31falsepositives:
32 - Unknown
33level: low```
References
-
Kernel modules and extensions offer adversaries a reliable means of establishing persistence on Linux systems.
Read More
Related rules
- Non-depmod Process Modifying modules.dep
- Shells Modifying Files in Known Linux Kernel Modules Directories
- Systemd Loading a Linux Kernel Module Using insmod
- PowerShell Startup Folder Persistence
- AppInit DLL Installation