heroui logo

Special File Creation via Mknod Syscall

Sigma Rules

View Source
Summary
This detection rule monitors the use of the `mknod` syscall in Linux systems, which is specifically designed for the creation of special files, such as character and block devices. Attackers and malware can exploit this syscall to create fake devices that could be used to interact with kernel interfaces or establish covert communication channels. The `mknod` syscall is infrequently utilized by legitimate applications, making its usage a notable red flag that can indicate an attempt to circumvent file system protections or establish backdoors. Therefore, tracking instances of `mknod` is critical for detecting suspicious behavior in Linux environments. The rule is implemented through auditing capabilities of Linux using the audit daemon (auditd) and aims to provide security teams with actionable insights to identify potential unauthorized manipulations of the system at a lower threat level.
Categories
  • Linux
  • Endpoint
Data Sources
  • Process
  • File
Created: 2025-05-31