Loading of Kernel Module via Insmod
Detects loading of kernel modules with insmod command. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. Adversaries may use LKMs to obtain persistence within the system or elevate the privileges.
Sigma rule (View on GitHub)
1title: Loading of Kernel Module via Insmod
2id: 106d7cbd-80ff-4985-b682-a7043e5acb72
3status: test
4description: |
5 Detects loading of kernel modules with insmod command.
6 Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand.
7 Adversaries may use LKMs to obtain persistence within the system or elevate the privileges.
8references:
9 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.006/T1547.006.md
10 - https://linux.die.net/man/8/insmod
11 - https://man7.org/linux/man-pages/man8/kmod.8.html
12author: 'Pawel Mazur'
13date: 2021/11/02
14modified: 2022/12/25
15tags:
16 - attack.persistence
17 - attack.privilege_escalation
18 - attack.t1547.006
19logsource:
20 product: linux
21 service: auditd
22detection:
23 selection:
24 type: 'SYSCALL'
25 comm: insmod
26 exe: /usr/bin/kmod
27 condition: selection
28falsepositives:
29 - Unknown
30level: high
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More -
HTML rendering created 2023-12-22 by Michael Kerrisk, author of The Linux Programming Interface. For details of in-depth Linux/UNIX system programming training courses that I teach, look here. Host...
Read More
Related rules
- Suspicious Commands by SQL Server
- UAC Bypass With Fake DLL
- Scheduled Cron Task/Job - Linux
- Scheduled Cron Task/Job - MacOs
- WMI Persistence - Script Event Consumer