[Rule Tuning] Kernel Module Load via Built-in Utility (#5736)

* [Rule Tuning] Kernel Module Load via Built-in Utility * Apply suggestion from @eric-forte-elastic Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com> * Refine process.args conditions for modprobe * Refactor notes and references in kernel module load rule Removed detailed notes and investigation steps related to kernel module loading via insmod utility. Updated note section and added a reference link. * Update persistence_insmod_kernel_module_load.toml * Update persistence_insmod_kernel_module_load.toml * Update kernel module load rule for clarity and tactics --------- Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
2026-02-23 09:48:12 +01:00
parent 3e9b8bcdc7
commit e012e88342
1 changed files with 27 additions and 9 deletions
@@ -2,7 +2,7 @@
 creation_date = "2022/07/11"
 integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/12/22"
+updated_date = "2026/02/18"

 [transform]
 [[transform.osquery]]
@@ -36,7 +36,7 @@ description = """
 Detects the use of the insmod binary to load a Linux kernel object file. Threat actors can use this binary, given they
 have root privileges, to load a rootkit on a system providing them with complete control and the ability to hide from
 security products. Manually loading a kernel module in this manner should not be at all common and can indicate
-suspcious or malicious behavior.
+suspicious or malicious behavior.
 """
 from = "now-9m"
 index = [
@@ -49,16 +49,16 @@ index = [
 ]
 language = "eql"
 license = "Elastic License v2"
-name = "Kernel Module Load via insmod"
+name = "Kernel Module Load via Built-in Utility"
 note = """## Triage and analysis

-### Investigating Kernel module load via insmod
+### Investigating Kernel Module Load via Built-in Utility

-The insmod binary is a Linux utility that allows users with root privileges to load kernel modules, which are object files that extend the functionality of the kernel. 
+Threat actors with root privileges may abuse pre-installed binaries to load loadable kernel modules (LKMs), which are object files that extend the functionality of the kernel. 

 Threat actors can abuse this utility to load rootkits, granting them full control over the system and the ability to evade security products.

-The detection rule 'Kernel module load via insmod' is designed to identify instances where the insmod binary is used to load a kernel object file (with a .ko extension) on a Linux system. This activity is uncommon and may indicate suspicious or malicious behavior.
+The detection rule 'Kernel Module Load via Built-in Utility' is designed to identify instances where these binaries are used to load a kernel object file (with a .ko extension) on a Linux system. This activity is uncommon and may indicate suspicious or malicious behavior.

 > **Note**:
 > This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/current/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.
@@ -66,7 +66,7 @@ The detection rule 'Kernel module load via insmod' is designed to identify insta

 ### Possible investigation steps

- Investigate the kernel object file that was loaded via insmod.
+- Investigate the kernel object file that was loaded.
  - $osquery_1
 - Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.
  - $osquery_2
@@ -158,6 +158,7 @@ tags = [
    "OS: Linux",
    "Use Case: Threat Detection",
    "Tactic: Persistence",
+    "Tactic: Defense Evasion",
    "Threat: Rootkit",
    "Data Source: Elastic Endgame",
    "Data Source: Elastic Defend",
@@ -170,8 +171,12 @@ timestamp_override = "event.ingested"
 type = "eql"
 query = '''
 process where host.os.type == "linux" and event.type == "start" and
-event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and
-process.name == "insmod" and process.args : "*.ko" and
+event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and (
+  (process.name == "kmod" and process.args == "insmod" and process.args like~ "*.ko*") or
+  (process.name == "kmod" and process.args == "modprobe" and not process.args in ("-r", "--remove")) or
+  (process.name == "insmod" and process.args like~ "*.ko*") or
+  (process.name == "modprobe" and not process.args in ("-r", "--remove"))
+) and
 not (
  ?process.parent.executable like ("/opt/ds_agent/*", "/opt/TrendMicro/vls_agent/*", "/opt/intel/oneapi/*") or
  ?process.working_directory in ("/opt/vinchin/agent", "/var/opt/ds_agent/am", "/opt/ds_agent", "/var/opt/TrendMicro/vls_agent/am") or
@@ -201,3 +206,16 @@ reference = "https://attack.mitre.org/techniques/T1547/006/"
 id = "TA0003"
 name = "Persistence"
 reference = "https://attack.mitre.org/tactics/TA0003/"
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1014"
+name = "Rootkit"
+reference = "https://attack.mitre.org/techniques/T1014/"
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"