diff --git a/rules/linux/persistence_insmod_kernel_module_load.toml b/rules/linux/persistence_insmod_kernel_module_load.toml index 048a62f38..b0fd18bbc 100644 --- a/rules/linux/persistence_insmod_kernel_module_load.toml +++ b/rules/linux/persistence_insmod_kernel_module_load.toml @@ -2,7 +2,7 @@ creation_date = "2022/07/11" integration = ["endpoint", "auditd_manager", "sentinel_one_cloud_funnel", "crowdstrike"] maturity = "production" -updated_date = "2025/12/22" +updated_date = "2026/02/18" [transform] [[transform.osquery]] @@ -36,7 +36,7 @@ description = """ Detects the use of the insmod binary to load a Linux kernel object file. Threat actors can use this binary, given they have root privileges, to load a rootkit on a system providing them with complete control and the ability to hide from security products. Manually loading a kernel module in this manner should not be at all common and can indicate -suspcious or malicious behavior. +suspicious or malicious behavior. """ from = "now-9m" index = [ @@ -49,16 +49,16 @@ index = [ ] language = "eql" license = "Elastic License v2" -name = "Kernel Module Load via insmod" +name = "Kernel Module Load via Built-in Utility" note = """## Triage and analysis -### Investigating Kernel module load via insmod +### Investigating Kernel Module Load via Built-in Utility -The insmod binary is a Linux utility that allows users with root privileges to load kernel modules, which are object files that extend the functionality of the kernel. +Threat actors with root privileges may abuse pre-installed binaries to load loadable kernel modules (LKMs), which are object files that extend the functionality of the kernel. Threat actors can abuse this utility to load rootkits, granting them full control over the system and the ability to evade security products. -The detection rule 'Kernel module load via insmod' is designed to identify instances where the insmod binary is used to load a kernel object file (with a .ko extension) on a Linux system. This activity is uncommon and may indicate suspicious or malicious behavior. +The detection rule 'Kernel Module Load via Built-in Utility' is designed to identify instances where these binaries are used to load a kernel object file (with a .ko extension) on a Linux system. This activity is uncommon and may indicate suspicious or malicious behavior. > **Note**: > This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/current/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. @@ -66,7 +66,7 @@ The detection rule 'Kernel module load via insmod' is designed to identify insta ### Possible investigation steps -- Investigate the kernel object file that was loaded via insmod. +- Investigate the kernel object file that was loaded. - $osquery_1 - Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. - $osquery_2 @@ -158,6 +158,7 @@ tags = [ "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", + "Tactic: Defense Evasion", "Threat: Rootkit", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", @@ -170,8 +171,12 @@ timestamp_override = "event.ingested" type = "eql" query = ''' process where host.os.type == "linux" and event.type == "start" and -event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and -process.name == "insmod" and process.args : "*.ko" and +event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and ( + (process.name == "kmod" and process.args == "insmod" and process.args like~ "*.ko*") or + (process.name == "kmod" and process.args == "modprobe" and not process.args in ("-r", "--remove")) or + (process.name == "insmod" and process.args like~ "*.ko*") or + (process.name == "modprobe" and not process.args in ("-r", "--remove")) +) and not ( ?process.parent.executable like ("/opt/ds_agent/*", "/opt/TrendMicro/vls_agent/*", "/opt/intel/oneapi/*") or ?process.working_directory in ("/opt/vinchin/agent", "/var/opt/ds_agent/am", "/opt/ds_agent", "/var/opt/TrendMicro/vls_agent/am") or @@ -201,3 +206,16 @@ reference = "https://attack.mitre.org/techniques/T1547/006/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[[rule.threat.technique]] +id = "T1014" +name = "Rootkit" +reference = "https://attack.mitre.org/techniques/T1014/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/"