heroui logo

Initramfs Extraction via CPIO

Elastic Detection Rules

View Source
Summary
This detection rule identifies the extraction of initramfs images on Linux systems utilizing the `cpio` command, which can be exploited by attackers to modify the initramfs contents and maintain persistence. By monitoring process executions specifically looking for cases where the `cpio` command is executed with certain arguments, this rule effectively filters out legitimate usages by excluding known parent processes like `mkinitramfs` or `dracut`. The alert triggers when suspicious `cpio` activity is identified, indicating potential malicious behavior. This rule is integrated with multiple data sources including endpoint data, audit logs, and threat intelligence feeds to enhance detection capabilities and response actions. It also provides a comprehensive investigation guide to assist analysts in validating potential threats and determining necessary remediation actions. The rule has been designed to support organizations' efforts to secure their Linux environments against unauthorized tampering with system files.
Categories
  • Endpoint
  • Linux
Data Sources
  • Process
  • Network Traffic
  • File
  • Application Log
  • Logon Session
ATT&CK Techniques
  • T1542
  • T1543
  • T1574
Created: 2025-01-16