heroui logo

Kernel Driver Load

Elastic Detection Rules

View Source
Summary
The 'Kernel Driver Load' detection rule focuses on identifying unauthorized loading of Linux kernel modules, which can be a method used by attackers, such as rootkits, to gain stealth access and control over a system. The rule is designed to monitor system calls associated with kernel modules (specifically `init_module` and `finit_module`) through the `auditd_manager` integration. By targeting the kernel at a system call level, this rule effectively mitigates the risk that malicious entities might evade detection through traditional monitoring of kernel module files or installation utilities. Key to this rule is the integration of `auditd_manager`, which simplifies auditing processes in Linux environments. When configured correctly, this rule supports security teams in detecting potential unauthorized activity, prompting a need for investigation into kernel modules that may compromise system integrity and security.
Categories
  • Endpoint
  • Linux
Data Sources
  • Kernel
  • Process
  • Script
  • Driver
ATT&CK Techniques
  • T1547
  • T1547.006
  • T1014
Created: 2023-10-26