From e88df8369244a33fb72b2dc96f49e0aa5c397f4e Mon Sep 17 00:00:00 2001 From: Milad Cheraghi Date: Sun, 8 Dec 2024 16:46:46 +0330 Subject: [PATCH 1/7] Add rule for insert or remove rootkit --- ...roc_creation_lnx_rootkit_insert_remove.yml | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 rules/linux/process_creation/proc_creation_lnx_rootkit_insert_remove.yml diff --git a/rules/linux/process_creation/proc_creation_lnx_rootkit_insert_remove.yml b/rules/linux/process_creation/proc_creation_lnx_rootkit_insert_remove.yml new file mode 100644 index 00000000000..5cddd95ab6e --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_rootkit_insert_remove.yml @@ -0,0 +1,28 @@ +title: Detect insert and remove rootkit - Linux +id: 85b78882-a58d-405f-bbb3-201d41812e8c +status: test +description: Adversaries may attempt to insert/remove rootkits onto a victim host. This rule detects the use of commands such as 'insmod', 'modprobe', and 'rmmod' which are commonly used to load or remove kernel modules. +references: + - https://attack.mitre.org/techniques/T1014/ + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1014/T1014.md +author: CheraghiMilad +date: 2024-12-08 +tags: + - attack.defense-evasion + - attack.t1014 +logsource: + category: process_creation + product: linux +detection: + selection: + Image|endswith: + - '/kmod' + - '/sudo' + CommandLine|contains: + - 'insmod' + - 'rmmod' + - 'modprobe' + condition: selection +falsepositives: + - Administrative tasks such as legitimate system administration involving device driver modules. +level: medium From 7d57a4e4043a7389aff623f0453ac4c90bfe969c Mon Sep 17 00:00:00 2001 From: Milad Cheraghi Date: Sun, 8 Dec 2024 16:55:51 +0330 Subject: [PATCH 2/7] fix issue about invalid keys like rootkit, insert and remove --- ...emove.yml => proc_creation_lnx_add_delete_device_driver.yml} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename rules/linux/process_creation/{proc_creation_lnx_rootkit_insert_remove.yml => proc_creation_lnx_add_delete_device_driver.yml} (93%) diff --git a/rules/linux/process_creation/proc_creation_lnx_rootkit_insert_remove.yml b/rules/linux/process_creation/proc_creation_lnx_add_delete_device_driver.yml similarity index 93% rename from rules/linux/process_creation/proc_creation_lnx_rootkit_insert_remove.yml rename to rules/linux/process_creation/proc_creation_lnx_add_delete_device_driver.yml index 5cddd95ab6e..602fc1915d0 100644 --- a/rules/linux/process_creation/proc_creation_lnx_rootkit_insert_remove.yml +++ b/rules/linux/process_creation/proc_creation_lnx_add_delete_device_driver.yml @@ -1,4 +1,4 @@ -title: Detect insert and remove rootkit - Linux +title: Detect add or delete rootkits/device drivcers - Linux id: 85b78882-a58d-405f-bbb3-201d41812e8c status: test description: Adversaries may attempt to insert/remove rootkits onto a victim host. This rule detects the use of commands such as 'insmod', 'modprobe', and 'rmmod' which are commonly used to load or remove kernel modules. From f4f81828ea4bf524b2d48bb1d67e88b30e3d2e84 Mon Sep 17 00:00:00 2001 From: Milad Cheraghi Date: Sun, 8 Dec 2024 17:07:17 +0330 Subject: [PATCH 3/7] fix issue - title have a invalid value --- ...er.yml => proc_creation_lnx_device_driver_insert_remove.yml} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename rules/linux/process_creation/{proc_creation_lnx_add_delete_device_driver.yml => proc_creation_lnx_device_driver_insert_remove.yml} (93%) diff --git a/rules/linux/process_creation/proc_creation_lnx_add_delete_device_driver.yml b/rules/linux/process_creation/proc_creation_lnx_device_driver_insert_remove.yml similarity index 93% rename from rules/linux/process_creation/proc_creation_lnx_add_delete_device_driver.yml rename to rules/linux/process_creation/proc_creation_lnx_device_driver_insert_remove.yml index 602fc1915d0..0902624acfe 100644 --- a/rules/linux/process_creation/proc_creation_lnx_add_delete_device_driver.yml +++ b/rules/linux/process_creation/proc_creation_lnx_device_driver_insert_remove.yml @@ -1,4 +1,4 @@ -title: Detect add or delete rootkits/device drivcers - Linux +title: Detect insert or remove rootkit - Linux id: 85b78882-a58d-405f-bbb3-201d41812e8c status: test description: Adversaries may attempt to insert/remove rootkits onto a victim host. This rule detects the use of commands such as 'insmod', 'modprobe', and 'rmmod' which are commonly used to load or remove kernel modules. From 7a5c89779e4626e7c95f13704e1134bc47ccb01b Mon Sep 17 00:00:00 2001 From: Milad Cheraghi Date: Sun, 8 Dec 2024 17:11:12 +0330 Subject: [PATCH 4/7] fix issue - change title --- .../proc_creation_lnx_device_driver_insert_remove.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/process_creation/proc_creation_lnx_device_driver_insert_remove.yml b/rules/linux/process_creation/proc_creation_lnx_device_driver_insert_remove.yml index 0902624acfe..33003b3d4e4 100644 --- a/rules/linux/process_creation/proc_creation_lnx_device_driver_insert_remove.yml +++ b/rules/linux/process_creation/proc_creation_lnx_device_driver_insert_remove.yml @@ -1,4 +1,4 @@ -title: Detect insert or remove rootkit - Linux +title: Detect Adding Kernel Modules - Linux id: 85b78882-a58d-405f-bbb3-201d41812e8c status: test description: Adversaries may attempt to insert/remove rootkits onto a victim host. This rule detects the use of commands such as 'insmod', 'modprobe', and 'rmmod' which are commonly used to load or remove kernel modules. From f2e02c76c8bb840bcb058f1b9987864aaf05e46c Mon Sep 17 00:00:00 2001 From: Milad Cheraghi Date: Sun, 8 Dec 2024 18:21:17 +0330 Subject: [PATCH 5/7] fix issue - not adding permalinks --- .../proc_creation_lnx_device_driver_insert_remove.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/rules/linux/process_creation/proc_creation_lnx_device_driver_insert_remove.yml b/rules/linux/process_creation/proc_creation_lnx_device_driver_insert_remove.yml index 33003b3d4e4..3b759c359bc 100644 --- a/rules/linux/process_creation/proc_creation_lnx_device_driver_insert_remove.yml +++ b/rules/linux/process_creation/proc_creation_lnx_device_driver_insert_remove.yml @@ -1,10 +1,9 @@ -title: Detect Adding Kernel Modules - Linux +title: Detect Adding and removing the Kernel Modules - Linux id: 85b78882-a58d-405f-bbb3-201d41812e8c -status: test +status: experimental description: Adversaries may attempt to insert/remove rootkits onto a victim host. This rule detects the use of commands such as 'insmod', 'modprobe', and 'rmmod' which are commonly used to load or remove kernel modules. references: - https://attack.mitre.org/techniques/T1014/ - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1014/T1014.md author: CheraghiMilad date: 2024-12-08 tags: From 0d052eaebc4da556201f1f28f3c3df56aafa1f7d Mon Sep 17 00:00:00 2001 From: Milad Cheraghi Date: Tue, 10 Dec 2024 10:06:34 +0330 Subject: [PATCH 6/7] Some links are added, and the title is changed --- .../proc_creation_lnx_device_driver_insert_remove.yml | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/rules/linux/process_creation/proc_creation_lnx_device_driver_insert_remove.yml b/rules/linux/process_creation/proc_creation_lnx_device_driver_insert_remove.yml index 3b759c359bc..fef6015ea57 100644 --- a/rules/linux/process_creation/proc_creation_lnx_device_driver_insert_remove.yml +++ b/rules/linux/process_creation/proc_creation_lnx_device_driver_insert_remove.yml @@ -1,11 +1,14 @@ -title: Detect Adding and removing the Kernel Modules - Linux +title: Adding and removing kernel modules - Linux id: 85b78882-a58d-405f-bbb3-201d41812e8c status: experimental -description: Adversaries may attempt to insert/remove rootkits onto a victim host. This rule detects the use of commands such as 'insmod', 'modprobe', and 'rmmod' which are commonly used to load or remove kernel modules. +description: Adversaries may attempt to insert/remove rootkits (device driver) onto a victim host. This rule detects the use of commands such as 'insmod', 'modprobe', and 'rmmod' which are commonly used to load or remove kernel modules. references: - - https://attack.mitre.org/techniques/T1014/ + - https://reveng007.github.io/blog/2022/03/08/reveng_rkit_detailed.html + - https://xcellerator.github.io/posts/linux_rootkits_02/ + - https://0x00sec.org/t/kernel-rootkits-getting-your-hands-dirty/1485 + - https://thomas-byrne.co.uk/projects/makingarootkit/ author: CheraghiMilad -date: 2024-12-08 +date: 2024-12-10 tags: - attack.defense-evasion - attack.t1014 From 384f3cb89a5f02cfc5b0a2b7c5af6280bd57e86e Mon Sep 17 00:00:00 2001 From: Milad Cheraghi Date: Wed, 11 Dec 2024 22:38:46 +0330 Subject: [PATCH 7/7] Set correct title --- .../proc_creation_lnx_device_driver_insert_remove.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/process_creation/proc_creation_lnx_device_driver_insert_remove.yml b/rules/linux/process_creation/proc_creation_lnx_device_driver_insert_remove.yml index fef6015ea57..7961b61adb9 100644 --- a/rules/linux/process_creation/proc_creation_lnx_device_driver_insert_remove.yml +++ b/rules/linux/process_creation/proc_creation_lnx_device_driver_insert_remove.yml @@ -1,4 +1,4 @@ -title: Adding and removing kernel modules - Linux +title: Adding and Removing Kernel Modules - Linux id: 85b78882-a58d-405f-bbb3-201d41812e8c status: experimental description: Adversaries may attempt to insert/remove rootkits (device driver) onto a victim host. This rule detects the use of commands such as 'insmod', 'modprobe', and 'rmmod' which are commonly used to load or remove kernel modules.