Nasreddine Bencherchali
28 lines
1010 B
YAML
28 lines
1010 B
YAML
title: Loading of Kernel Module via Insmod
|
|
id: 106d7cbd-80ff-4985-b682-a7043e5acb72
|
|
status: experimental
|
|
description: Detects loading of kernel modules with insmod command. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. Adversaries may use LKMs to obtain persistence within the system or elevate the privileges.
|
|
author: 'Pawel Mazur'
|
|
date: 2021/11/02
|
|
references:
|
|
- https://attack.mitre.org/techniques/T1547/006/
|
|
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.006/T1547.006.md
|
|
- https://linux.die.net/man/8/insmod
|
|
- https://man7.org/linux/man-pages/man8/kmod.8.html
|
|
logsource:
|
|
product: linux
|
|
service: auditd
|
|
detection:
|
|
selection:
|
|
type: 'SYSCALL'
|
|
comm: insmod
|
|
exe: /usr/bin/kmod
|
|
condition: selection
|
|
falsepositives:
|
|
- Unknown
|
|
level: high
|
|
tags:
|
|
- attack.persistence
|
|
- attack.privilege_escalation
|
|
- attack.t1547.006
|