Nasreddine Bencherchali
5656c48a97
chore: rename auditd folders and others update: Audio Capture - Updated syscall field to SYSCALL in order to make use of enriched logs update: ASLR Disabled Via Sysctl or Direct Syscall - Linux - Updated syscall field to SYSCALL in order to make use of enriched logs update: Clear or Disable Kernel Ring Buffer Logs via Syslog Syscall - Updated syscall field to SYSCALL in order to make use of enriched logs update: System Info Discovery via Sysinfo Syscall - Updated syscall field to SYSCALL in order to make use of enriched logs update: Special File Creation via Mknod Syscall - Updated syscall field to SYSCALL in order to make use of enriched logs update: Webshell Remote Command Execution - Updated syscall field to SYSCALL in order to make use of enriched logs
31 lines
984 B
YAML
31 lines
984 B
YAML
title: Loading of Kernel Module via Insmod
|
|
id: 106d7cbd-80ff-4985-b682-a7043e5acb72
|
|
status: test
|
|
description: |
|
|
Detects loading of kernel modules with insmod command.
|
|
Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand.
|
|
Adversaries may use LKMs to obtain persistence within the system or elevate the privileges.
|
|
references:
|
|
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.006/T1547.006.md
|
|
- https://linux.die.net/man/8/insmod
|
|
- https://man7.org/linux/man-pages/man8/kmod.8.html
|
|
author: 'Pawel Mazur'
|
|
date: 2021-11-02
|
|
modified: 2022-12-25
|
|
tags:
|
|
- attack.persistence
|
|
- attack.privilege-escalation
|
|
- attack.t1547.006
|
|
logsource:
|
|
product: linux
|
|
service: auditd
|
|
detection:
|
|
selection:
|
|
type: 'SYSCALL'
|
|
comm: insmod
|
|
exe: /usr/bin/kmod
|
|
condition: selection
|
|
falsepositives:
|
|
- Unknown
|
|
level: high
|