The SIEM app is now a part of the Elastic Security solution. Click here to view the current documentation.
IMPORTANT: No additional bug fixes or documentation updates will be released for this version.

« Permission Theft - Prevented - Elastic Endpoint Potential Application Shimming via Sdbinst »

› › ›

Persistence via Kernel Module Modification

edit

Persistence via Kernel Module Modification

edit

Identifies loadable kernel module errors, which are often indicative of potential persistence attempts.

Rule type: query

Rule indices:

auditbeat-*

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum signals per execution: 100

References:

https://www.hackers-arise.com/single-post/2017/11/03/Linux-for-Hackers-Part-10-Loadable-Kernel-Modules-LKM

Tags:

Elastic
Linux

Version: 2 (version history)

Added (Elastic Stack release): 7.6.0

Last modified (Elastic Stack release): 7.7.0

Potential false positives

edit

Security tools and device drivers may run these programs in order to load legitimate kernel modules. Use of these programs by ordinary users is uncommon.

Rule query

edit

process.name:(insmod or kmod or modprobe or rmod) and
event.action:executed

Threat mapping

edit

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/techniques/TA0003/
Technique:
- Name: Kernel Modules and Extensions
- ID: T1215
- Reference URL: https://attack.mitre.org/techniques/T1215/

Rule version history

edit

Version 2 (7.7.0 release)

Updated query, changed from:

process.name: (insmod or kmod or modprobe or rmod) and
event.action:executed

« Permission Theft - Prevented - Elastic Endpoint Potential Application Shimming via Sdbinst »