security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1aea1ee9bb52d5b05aad36c57a2f3d915c7945b1
sigma-rules/rules/linux/discovery_kernel_module_enumeration.toml
T
Justin Ibarra 59da2da474 [Rule Tuning] Ensure host information is in endpoint rule queries (#2593) 
* add unit tests to ensure host type and platform are included
* add host.os.name 'linux' to all linux rules
* add host.os.name macos to mac rules
* add host.os.name to windows rules; fix linux dates
* update from host.os.name to host.os.type

Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
2023-03-05 11:41:19 -07:00

53 lines
1.6 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2020/04/23"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/02/22"
[rule]
author = ["Elastic"]
description = """
Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They
extend the functionality of the kernel without the need to reboot the system. This identifies attempts to enumerate
information about a kernel module.
"""
false_positives = [
"""
Security tools and device drivers may run these programs in order to enumerate kernel modules. Use of these programs
by ordinary users is uncommon. These can be exempted by process name or username.
""",
]
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*", "endgame-*"]
language = "kuery"
license = "Elastic License v2"
name = "Enumeration of Kernel Modules"
risk_score = 47
rule_id = "2d8043ed-5bda-4caf-801c-c1feb7410504"
severity = "medium"
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Discovery", "Elastic Endgame"]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.category:process and host.os.type:linux and event.type:(start or process_started) and
process.args:(kmod and list and sudo or sudo and (depmod or lsmod or modinfo))
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1082"
name = "System Information Discovery"
reference = "https://attack.mitre.org/techniques/T1082/"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
Reference in New Issue View Git Blame Copy Permalink