Special File Creation via Mknod Syscall

calendar Jun 5, 2025 · attack.persistence attack.t1543.003  ·
Share on: linkedin copy

Detects usage of the mknod syscall to create special files (e.g., character or block devices). Attackers or malware might use mknod to create fake devices, interact with kernel interfaces, or establish covert channels in Linux systems. Monitoring the use of mknod is important because this syscall is rarely used by legitimate applications, and it can be abused to bypass file system restrictions or create backdoors.

Sigma rule (View on GitHub)

 1title: Special File Creation via Mknod Syscall
 2id: 710bdbce-495d-491d-9a8f-7d0d88d2b41e
 3status: experimental
 4description: |
 5    Detects usage of the `mknod` syscall to create special files (e.g., character or block devices).
 6    Attackers or malware might use `mknod` to create fake devices, interact with kernel interfaces,
 7    or establish covert channels in Linux systems.
 8    Monitoring the use of `mknod` is important because this syscall is rarely used by legitimate applications,
 9    and it can be abused to bypass file system restrictions or create backdoors.    
10references:
11    - https://man7.org/linux/man-pages/man2/mknod.2.html
12    - https://hopeness.medium.com/master-the-linux-mknod-command-a-comprehensive-guide-1c150a546aa8
13author: Milad Cheraghi
14date: 2025-05-31
15tags:
16    - attack.persistence
17    - attack.t1543.003
18logsource:
19    product: linux
20    service: auditd
21detection:
22    selection:
23        type: 'SYSCALL'
24        syscall: 'mknod'
25    condition: selection
26falsepositives:
27    - Device creation by legitimate scripts or init systems (udevadm, MAKEDEV)
28    - Container runtimes or security tools during initialization
29level: low

References

Related rules

to-top