Kernel Driver Load by non-root User
editKernel Driver Load by non-root User
editDetects the loading of a Linux kernel module by a non-root user through system calls. Threat actors may leverage Linux kernel modules to load a rootkit on a system providing them with complete control and the ability to hide from security products. As other rules monitor for the addition of Linux kernel modules through system utilities or .ko files, this rule covers the gap that evasive rootkits leverage by monitoring for kernel module additions on the lowest level through auditd_manager.
Rule type: eql
Rule indices:
- logs-auditd_manager.auditd-*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References: None
Tags:
- Domain: Endpoint
- OS: Linux
- Use Case: Threat Detection
- Tactic: Persistence
- Tactic: Defense Evasion
Version: 1
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule query
editdriver where host.os.type == "linux" and event.dataset == "auditd_manager.auditd" and
event.action == "loaded-kernel-module" and auditd.data.syscall in ("init_module", "finit_module") and user.id != "0"
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
-
Technique:
- Name: Boot or Logon Autostart Execution
- ID: T1547
- Reference URL: https://attack.mitre.org/techniques/T1547/
-
Sub-technique:
- Name: Kernel Modules and Extensions
- ID: T1547.006
- Reference URL: https://attack.mitre.org/techniques/T1547/006/
-
Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
-
Technique:
- Name: Rootkit
- ID: T1014
- Reference URL: https://attack.mitre.org/techniques/T1014/