Special File Creation via Mknod Syscall

calendar Oct 23, 2025 · attack.privilege-escalation attack.persistence attack.t1543.003  ·
Share on: linkedin copy

Detects usage of the mknod syscall to create special files (e.g., character or block devices). Attackers or malware might use mknod to create fake devices, interact with kernel interfaces, or establish covert channels in Linux systems. Monitoring the use of mknod is important because this syscall is rarely used by legitimate applications, and it can be abused to bypass file system restrictions or create backdoors.

Sigma rule (View on GitHub)

 1title: Special File Creation via Mknod Syscall
 2id: 710bdbce-495d-491d-9a8f-7d0d88d2b41e
 3status: experimental
 4description: |
 5    Detects usage of the `mknod` syscall to create special files (e.g., character or block devices).
 6    Attackers or malware might use `mknod` to create fake devices, interact with kernel interfaces,
 7    or establish covert channels in Linux systems.
 8    Monitoring the use of `mknod` is important because this syscall is rarely used by legitimate applications,
 9    and it can be abused to bypass file system restrictions or create backdoors.    
10references:
11    - https://man7.org/linux/man-pages/man2/mknod.2.html
12    - https://hopeness.medium.com/master-the-linux-mknod-command-a-comprehensive-guide-1c150a546aa8
13author: Milad Cheraghi
14date: 2025-05-31
15tags:
16    - attack.privilege-escalation
17    - attack.persistence
18    - attack.t1543.003
19logsource:
20    product: linux
21    service: auditd
22detection:
23    selection:
24        type: 'SYSCALL'
25        syscall: 'mknod'
26    condition: selection
27falsepositives:
28    - Device creation by legitimate scripts or init systems (udevadm, MAKEDEV)
29    - Container runtimes or security tools during initialization
30level: low

References

Related rules

to-top