Detectionlowexperimental

Special File Creation via Mknod Syscall

Detects usage of the `mknod` syscall to create special files (e.g., character or block devices). Attackers or malware might use `mknod` to create fake devices, interact with kernel interfaces, or establish covert channels in Linux systems. Monitoring the use of `mknod` is important because this syscall is rarely used by legitimate applications, and it can be abused to bypass file system restrictions or create backdoors.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Milad CheraghiCreated Sat May 31Updated Fri Dec 05710bdbce-495d-491d-9a8f-7d0d88d2b41elinux

Log Source

Linuxauditd

ProductLinux← raw: linux

Serviceauditd← raw: auditd

Detection Logic

detection:
    selection:
        type: 'SYSCALL'
        SYSCALL: 'mknod'
    condition: selection

False Positives

Device creation by legitimate scripts or init systems (udevadm, MAKEDEV)

Container runtimes or security tools during initialization

References

MITRE ATT&CK

Tactics

TA0004 · Privilege Escalation TA0003 · Persistence

Sub-techniques

T1543.003 · Windows Service

Rule Metadata

Rule ID

710bdbce-495d-491d-9a8f-7d0d88d2b41e

Status

experimental

Level

low

Type

Detection

Created

Sat May 31

Modified

Fri Dec 05

Author

Milad Cheraghi

Path

rules/linux/auditd/syscall/lnx_auditd_susp_special_file_creation_via_mknod_syscall.yml

Raw Tags

attack.privilege-escalationattack.persistenceattack.t1543.003

View on GitHub