From 0a0c5986c5297dc5bb9d5af2caa3bfaba9d958a8 Mon Sep 17 00:00:00 2001 From: Craig Chamberlain Date: Tue, 22 Sep 2020 16:18:51 -0400 Subject: [PATCH] [New Rule] Anomalous Kernel Module Activity (#257) * Create ml_linux_rare_kernel_module_arguments.toml * rare module rule * Update ml_linux_anomalous_kernel_module_arguments.toml * Update ml_linux_anomalous_kernel_module_arguments.toml * Update ml_linux_anomalous_kernel_module_arguments.toml * Update rules/ml/ml_linux_anomalous_kernel_module_arguments.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> --- ...nux_anomalous_kernel_module_arguments.toml | 42 +++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 rules/ml/ml_linux_anomalous_kernel_module_arguments.toml diff --git a/rules/ml/ml_linux_anomalous_kernel_module_arguments.toml b/rules/ml/ml_linux_anomalous_kernel_module_arguments.toml new file mode 100644 index 000000000..25fd58c85 --- /dev/null +++ b/rules/ml/ml_linux_anomalous_kernel_module_arguments.toml @@ -0,0 +1,42 @@ +[metadata] +creation_date = "2020/09/03" +ecs_version = ["1.6.0"] +maturity = "production" +updated_date = "2020/09/03" + +[rule] +anomaly_threshold = 25 +author = ["Elastic"] +description = """ +Looks for unusual kernel module activity. Kernel modules are sometimes used by malware and persistence mechanisms for +stealth. +""" +false_positives = [ + """ + A Linux host running unusual device drivers or other kinds of kernel modules could trigger this detection. + Troubleshooting or debugging activity using unusual arguments could also trigger this detection. + """, +] +from = "now-45m" +interval = "15m" +license = "Elastic License" +machine_learning_job_id = "linux_rare_kernel_module_arguments" +name = "Anomalous Kernel Module Activity" +references = ["references"] +risk_score = 21 +rule_id = "37b0816d-af40-40b4-885f-bb162b3c88a9" +severity = "low" +tags = ["Elastic", "Linux", "ML"] +type = "machine_learning" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1215" +name = "Kernel Modules and Extensions" +reference = "https://attack.mitre.org/techniques/T1215/" + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/"