IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« TCC Bypass via Mounted APFS Snapshot Access Tampering of Bash Command-Line History »

› › ›

Tainted Kernel Module Load

edit

Tainted Kernel Module Load

edit

This rule monitors the syslog log file for messages related to instances of a tainted kernel module load. Rootkits often leverage kernel modules as their main defense evasion technique. Detecting tainted kernel module loads is crucial for ensuring system security and integrity, as malicious or unauthorized modules can compromise the kernel and lead to system vulnerabilities or unauthorized access.

Rule type: query

Rule indices:

logs-system.syslog-*

Severity: low

Risk score: 21

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References: None

Tags:

Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Persistence
Tactic: Defense Evasion
Rule Type: BBR

Version: 2

Rule authors:

Elastic

Rule license: Elastic License v2

Rule query

edit

host.os.type:linux and event.dataset:"system.syslog" and process.name:kernel and
message:"module verification failed: signature and/or required key missing - tainting kernel"

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
Technique:
- Name: Boot or Logon Autostart Execution
- ID: T1547
- Reference URL: https://attack.mitre.org/techniques/T1547/
Sub-technique:
- Name: Kernel Modules and Extensions
- ID: T1547.006
- Reference URL: https://attack.mitre.org/techniques/T1547/006/
Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
Technique:
- Name: Rootkit
- ID: T1014
- Reference URL: https://attack.mitre.org/techniques/T1014/

« TCC Bypass via Mounted APFS Snapshot Access Tampering of Bash Command-Line History »