Kernel Module Removal | SIEM Guide [7.8]

The SIEM app is now a part of the Elastic Security solution. Click here to view the current documentation.
IMPORTANT: No additional bug fixes or documentation updates will be released for this version.

› › ›

« Interactive Terminal Spawned via Python Local Scheduled Task Commands »

Kernel Module Removaledit

Identifies attempts to remove a kernel module. Kernel modules are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system.

Rule type: query

Rule indices:

auditbeat-*

Severity: high

Risk score: 73

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum signals per execution: 100

References:

http://man7.org/linux/man-pages/man8/modprobe.8.html

Tags:

Elastic
Linux

Version: 1

Added (Elastic Stack release): 7.8.0

Potential false positivesedit

There is usually no reason to remove modules, but some buggy modules require removal. These can be exempted by username. Note that some Linux distributions are not built to support the removal of modules at all.

Rule queryedit

event.action:executed and process.args:(rmmod and sudo or modprobe and
sudo and ("--remove" or "-r"))

Threat mappingedit

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
Technique:
- Name: Disabling Security Tools
- ID: T1089
- Reference URL: https://attack.mitre.org/techniques/T1089/
Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
Technique:
- Name: Kernel Modules and Extensions
- ID: T1215
- Reference URL: https://attack.mitre.org/techniques/T1215/

« Interactive Terminal Spawned via Python Local Scheduled Task Commands »