Suspicious Modprobe File Event | Elastic Security Solution [8.8]

IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

› › ›

« Suspicious Mining Process Creation Event Suspicious Module Loaded by LSASS »

Suspicious Modprobe File Eventedit

Detects file events involving kernel modules in modprobe configuration files, which may indicate unauthorized access or manipulation of critical kernel modules. Attackers may tamper with the modprobe files to load malicious or unauthorized kernel modules, potentially bypassing security measures, escalating privileges, or hiding their activities within the system.

Rule type: new_terms

Rule indices:

auditbeat-*
logs-auditd_manager.auditd-*

Severity: low

Risk score: 21

Runs every: 60m

Searches indices from: now-119m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References: None

Tags:

OS: Linux
Use Case: Threat Detection
Tactic: Discovery
Rule Type: BBR

Version: 104

Rule authors:

Elastic

Rule license: Elastic License v2

Rule queryedit

host.os.type:linux and event.category:file and event.action:"opened-file" and
file.path : ("/etc/modprobe.conf" or "/etc/modprobe.d" or /etc/modprobe.d/*)

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Discovery
- ID: TA0007
- Reference URL: https://attack.mitre.org/tactics/TA0007/
Technique:
- Name: System Information Discovery
- ID: T1082
- Reference URL: https://attack.mitre.org/techniques/T1082/

« Suspicious Mining Process Creation Event Suspicious Module Loaded by LSASS »