IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Appendix [: Downloadable rule update v8.11.8 Suspicious Dynamic Linker Discovery via od »

› ›

Executable Masquerading as Kernel Process

edit

Executable Masquerading as Kernel Process

edit

Monitors for kernel processes with associated process executable fields that are not empty. Unix kernel processes such as kthreadd and kworker typically do not have process.executable fields associated to them. Attackers may attempt to hide their malicious programs by masquerading as legitimate kernel processes.

Rule type: eql

Rule indices:

logs-endpoint.events.*
endgame-*

Severity: low

Risk score: 21

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

https://sandflysecurity.com/blog/linux-stealth-rootkit-malware-with-edr-evasion-analyzed/

Tags:

Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Defend
Data Source: Elastic Endgame

Version: 1

Rule authors:

Elastic

Rule license: Elastic License v2

Rule query

edit

process where host.os.type == "linux" and event.action in ("exec", "exec_event") and event.type == "start" and
process.name : ("kworker*", "kthread*") and process.executable != null

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
Technique:
- Name: Hide Artifacts
- ID: T1564
- Reference URL: https://attack.mitre.org/techniques/T1564/
Technique:
- Name: Masquerading
- ID: T1036
- Reference URL: https://attack.mitre.org/techniques/T1036/
Sub-technique:
- Name: Masquerade Task or Service
- ID: T1036.004
- Reference URL: https://attack.mitre.org/techniques/T1036/004/

« Appendix [: Downloadable rule update v8.11.8 Suspicious Dynamic Linker Discovery via od »