litterbox/Scanners/Yara/rules/Linux_Rootkit_Generic.yar

rule Linux_Rootkit_Generic_61229bdf {
    meta:
        author = "Elastic Security"
        id = "61229bdf-0b78-48b1-8a4d-09836dd2bcac"
        fingerprint = "8180ee7a04fd5ba23700e77ad3be7f30d592e77cffa8ebee8de7094627446335"
        creation_date = "2024-11-14"
        last_modified = "2024-11-22"
        threat_name = "Linux.Rootkit.Generic"
        severity = 100
        arch_context = "x86, arm64"
        scan_context = "file, memory"
        license = "Elastic License v2"
        os = "linux"
    strings:
        $str1 = "dropshell"
        $str2 = "fake_account_user_time"
        $str3 = "fake_bpf_trace_printk"
        $str4 = "fake_crash_kexec"
        $str5 = "fake_loadavg_proc_show"
        $str6 = "fake_sched_debug_show"
        $str7 = "fake_seq_show_ipv4_tcp"
        $str8 = "fake_seq_show_ipv4_udp"
        $str9 = "fake_seq_show_ipv6_tcp"
        $str10 = "fake_seq_show_ipv6_udp"
        $str11 = "fake_trace_printk"
        $str12 = "give_root"
        $str13 = "hack_getdents"
        $str14 = "hacked_getdents64"
        $str15 = "hacked_kill"
        $str16 = "hideModule"
        $str17 = "hide_module"
        $str18 = "hide_tcp4_port"
        $str19 = "hide_tcp6_port"
        $str20 = "hidden_tcp4_ports"
        $str21 = "hidden_tcp6_ports"
        $str22 = "hidden_udp4_ports"
        $str23 = "hidden_udp6_ports"
        $str24 = "hook_getdents"
        $str25 = "hook_kill"
        $str26 = "hook_local_in_func"
        $str27 = "hook_local_out_func"
        $str28 = "hook_tcp4_seq_show"
        $str29 = "hook_tcp6_seq_show"
        $str30 = "hooked_tcp6_seq_show"
        $str31 = "hooked_udp4_seq_show"
        $str32 = "hooked_udp6_seq_show"
        $str33 = "is_invisible"
        $str34 = "module_hide"
        $str35 = "module_show"
        $str36 = "nf_inet_hooks"
        $str37 = "old_access"
        $str38 = "old_fopen"
        $str39 = "old_lxstat"
        $str40 = "old_open"
        $str41 = "old_opendir"
        $str42 = "old_readdir"
        $str43 = "old_rmdir"
        $str44 = "old_unlink"
        $str45 = "old_xstat"
        $str46 = "orig_getdents"
        $str47 = "orig_getdents64"
        $str48 = "orig_kill"
        $str49 = "orig_tcp4_seq_show"
        $str50 = "orig_tcp6_seq_show"
        $str51 = "secret_connection"
        $str52 = "unhide_file"
        $str53 = "unhide_proc"
        $str54 = "unhide_tcp4_port"
        $str55 = "unhide_tcp6_port"
        $str56 = "unhide_udp4_port"
        $str57 = "unhide_udp6_port"
    condition:
        4 of ($str*)
}