Populate rules/ directory.

Co-Authored-By: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-Authored-By: Craig Chamberlain <randomuserid@users.noreply.github.com>
Co-Authored-By: David French <56409778+threat-punter@users.noreply.github.com>
Co-Authored-By: Derek Ditch <dcode@users.noreply.github.com>
Co-Authored-By: Justin Ibarra <brokensound77@users.noreply.github.com>

rules/linux/persistence_kernel_module_activity.toml

@@ -0,0 +1,46 @@
+[metadata]
+creation_date = "2020/02/18"
+ecs_version = ["1.4.0"]
+maturity = "production"
+updated_date = "2020/02/18"
+
+[rule]
+author = ["Elastic"]
+description = "Identifies loadable kernel module errors, which are often indicative of potential persistence attempts."
+false_positives = [
+    """
+    Security tools and device drivers may run these programs in order to load legitimate kernel modules. Use of these
+    programs by ordinary users is uncommon.
+    """,
+]
+index = ["auditbeat-*"]
+language = "kuery"
+license = "Elastic License"
+name = "Persistence via Kernel Module Modification"
+references = [
+    "https://www.hackers-arise.com/single-post/2017/11/03/Linux-for-Hackers-Part-10-Loadable-Kernel-Modules-LKM",
+]
+risk_score = 21
+rule_id = "81cc58f5-8062-49a2-ba84-5cc4b4d31c40"
+severity = "low"
+tags = ["Elastic", "Linux"]
+type = "query"
+
+query = '''
+process.name:(insmod or kmod or modprobe or rmod) and event.action:executed
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1215"
+name = "Kernel Modules and Extensions"
+reference = "https://attack.mitre.org/techniques/T1215/"
+
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
+