Network Activity Detected via Kworker

Last updated 7 days ago on 2025-01-24

Created a year ago on 2023-10-18

About

This rule monitors for network connections from a kworker process. kworker, or kernel worker, processes are part of the kernel's workqueue mechanism. They are responsible for executing work that has been scheduled to be done in kernel space, which might include tasks like handling interrupts, background activities, and other kernel-related tasks. Attackers may attempt to evade detection by masquerading as a kernel worker process.

Tags

Domain: EndpointOS: LinuxUse Case: Threat DetectionTactic: Command and ControlData Source: Elastic DefendLanguage: kuery

Severity

low

Risk Score

MITRE ATT&CK™

Command and Control (TA0011)(opens in a new tab or window)

Defense Evasion (TA0005)(opens in a new tab or window)

↳ Rootkit (T1014)(opens in a new tab or window)

↳ Masquerading (T1036)(opens in a new tab or window)

Exfiltration (TA0010)(opens in a new tab or window)

↳ Exfiltration Over C2 Channel (T1041)(opens in a new tab or window)

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type: New Terms Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: logs-endpoint.events.*
Related Integrations: endpoint(opens in a new tab or window)
Query

host.os.type:linux and event.category:network and event.action:(connection_attempted or connection_accepted) and
process.name:kworker* and not destination.ip:(
  10.0.0.0/8 or
  127.0.0.0/8 or
  169.254.0.0/16 or
  172.16.0.0/12 or
  192.168.0.0/16 or
  224.0.0.0/4 or
  "::1" or
  "FE80::/10" or
  "FF00::/8" or
  "0.0.0.0"
) and not destination.port:("2049" or "111" or "892" or "597")

Install detection rules in Elastic Security

Detect Network Activity Detected via Kworker in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).