Detectionhightest

Loading of Kernel Module via Insmod

Detects loading of kernel modules with insmod command. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. Adversaries may use LKMs to obtain persistence within the system or elevate the privileges.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Pawel MazurCreated Tue Nov 02Updated Sun Dec 25106d7cbd-80ff-4985-b682-a7043e5acb72linux

Log Source

Linuxauditd

ProductLinux← raw: linux

Serviceauditd← raw: auditd

Detection Logic

detection:
    selection:
        type: 'SYSCALL'
        comm: insmod
        exe: /usr/bin/kmod
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

TA0003 · Persistence TA0004 · Privilege Escalation

Sub-techniques

T1547.006 · Kernel Modules and Extensions

Rule Metadata

Rule ID

106d7cbd-80ff-4985-b682-a7043e5acb72

Status

test

Level

high

Type

Detection

Created

Tue Nov 02

Modified

Sun Dec 25

Author

Pawel Mazur

Path

rules/linux/auditd/syscall/lnx_auditd_load_module_insmod.yml

Raw Tags

attack.persistenceattack.privilege-escalationattack.t1547.006

View on GitHub