security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
e91fc4486e57fc40e30d12253694de4c80a9e4ea
blue-team-tools/rules/linux/auditd/lnx_auditd_load_module_insmod.yml
T
zakibro 30f13d41f5 Update lnx_auditd_load_module_insmod.yml 
fixing missing date
2021-11-02 17:16:59 +01:00

28 lines
970 B
YAML
Raw Blame History

title: Loading of Kernel Module via Insmod
id: 106d7cbd-80ff-4985-b682-a7043e5acb72
status: experimental
description: Detects loading of kernel modules with insmod command. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. Adversaries may use LKMs to obtain persistence within the system or elevate the privileges.
author: 'Pawel Mazur'
date: 2021/11/02
references:
- https://attack.mitre.org/techniques/T1547/006/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md
- https://linux.die.net/man/8/insmod
- https://man7.org/linux/man-pages/man8/kmod.8.html
logsource:
product: linux
service: auditd
detection:
insmod:
type: 'SYSCALL'
comm: insmod
exe: /usr/bin/kmod
condition: insmod
falsepositives:
- Unknown
level: high
tags:
- attack.persistence
- attack.privilege_escalation
- attack.t1547.006
Reference in New Issue View Git Blame Copy Permalink