Suspicious Modprobe File Event

edit

Detects file events involving kernel modules in modprobe configuration files, which may indicate unauthorized access or manipulation of critical kernel modules. Attackers may tamper with the modprobe files to load malicious or unauthorized kernel modules, potentially bypassing security measures, escalating privileges, or hiding their activities within the system.

Rule type: new_terms

Rule indices:

  • auditbeat-*
  • logs-auditd_manager.auditd-*

Severity: low

Risk score: 21

Runs every: 60m

Searches indices from: now-119m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References: None

Tags:

  • OS: Linux
  • Use Case: Threat Detection
  • Tactic: Discovery
  • Rule Type: BBR

Version: 104

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule query

edit
host.os.type:linux and event.category:file and event.action:"opened-file" and
file.path : ("/etc/modprobe.conf" or "/etc/modprobe.d" or /etc/modprobe.d/*)

Framework: MITRE ATT&CKTM