Persistence via Kernel Module Modification

edit

IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Persistence via Kernel Module Modification

edit

Identifies loadable kernel module errors, which are often indicative of potential persistence attempts.

Rule indices:

auditbeat-*

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum signals per execution: 100

References:

https://www.hackers-arise.com/single-post/2017/11/03/Linux-for-Hackers-Part-10-Loadable-Kernel-Modules-LKM

Tags:

Elastic
Linux

Rule version: 1

Added (Elastic Stack release): 7.6.0

Potential false positives

edit

Security tools and device drivers may run these programs in order to load legitimate kernel modules. Use of these programs by ordinary users is uncommon.

Rule query

edit

process.name: (insmod or kmod or modprobe or rmod) and
event.action:executed

Threat mapping

edit

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/techniques/TA0003/
Technique:
- Name: Kernel Modules and Extensions
- ID: T1215
- Reference URL: https://attack.mitre.org/techniques/T1215/

« Permission Theft - Prevented - Elastic Endpoint Potential Application Shimming via Sdbinst »