From 64b3fa8d1d45f5d422fc759f3d62db4a503819c3 Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Thu, 6 Jul 2023 16:03:27 +0200 Subject: [PATCH] [New Rule] Kernel Load/Unload via Kexec Detected (#2846) * [New Rule] Kernel Load/Unload via Kexec * Added additional references * changed rule name * changed the query to be more precise * Update rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * changed description based on feedback * Update rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com> * Update privilege_escalation_load_and_unload_of_kernel_via_kexec.toml --------- Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com> --- ...n_load_and_unload_of_kernel_via_kexec.toml | 87 +++++++++++++++++++ 1 file changed, 87 insertions(+) create mode 100644 rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml diff --git a/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml b/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml new file mode 100644 index 000000000..5f49255c9 --- /dev/null +++ b/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml @@ -0,0 +1,87 @@ +[metadata] +creation_date = "2023/06/09" +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/06/09" +integration = ["endpoint"] + +[rule] +author = ["Elastic"] +description = """ +This detection rule identifies the usage of kexec, helping to uncover unauthorized kernel replacements and potential +compromise of the system's integrity. Kexec is a Linux feature that enables the loading and execution of a different +kernel without going through the typical boot process. Malicious actors can abuse kexec to bypass security measures, +escalate privileges, establish persistence or hide their activities by loading a malicious kernel, enabling them to +tamper with the system's trusted state, allowing e.g. a VM Escape. +""" +from = "now-9m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Kernel Load or Unload via Kexec Detected" +references = [ + "https://www.crowdstrike.com/blog/venom-vulnerability-details/", + "https://www.makeuseof.com/what-is-venom-vulnerability/", + "https://madaidans-insecurities.github.io/guides/linux-hardening.html" +] +risk_score = 73 +rule_id = "4d4c35f4-414e-4d0c-bb7e-6db7c80a6957" +severity = "high" +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Tactic: Defense Evasion"] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where host.os.type == "linux" and event.action == "exec" and process.name == "kexec" and +process.args in ("--exec", "-e", "--load", "-l", "--unload", "-u") +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1611" +name = "Escape to Host" +reference = "https://attack.mitre.org/techniques/T1611/" + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" + +[[rule.threat.technique.subtechnique]] +id = "T1547.006" +name = "Kernel Modules and Extensions" +reference = "https://attack.mitre.org/techniques/T1547/006/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1601" +name = "Modify System Image" +reference = "https://attack.mitre.org/techniques/T1601/" + +[[rule.threat.technique.subtechnique]] +id = "T1601.001" +name = "Patch System Image" +reference = "https://attack.mitre.org/techniques/T1601/001/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/"