Elastic Security Detection Rules

Enumeration of Kernel Modules

Last updated 7 days ago on 2025-01-24
Created 5 years ago on 2020-04-23

About

Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. This identifies attempts to enumerate information about a kernel module.
Tags
Domain: EndpointOS: LinuxUse Case: Threat DetectionTactic: DiscoveryData Source: Elastic DefendData Source: Elastic EndgameLanguage: kuery
Severity
medium
Risk Score
47
MITRE ATT&CK™

Discovery (TA0007)(opens in a new tab or window)

System Information Discovery (T1082)(opens in a new tab or window)

False Positive Examples
Security tools and device drivers may run these programs in order to enumerate kernel modules. Use of these programs by ordinary users is uncommon. These can be exempted by process name or username.
License
Elastic License v2(opens in a new tab or window)

Definition

Rule Type
New Terms Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-endpoint.events.*endgame-*
Related Integrations

endpoint(opens in a new tab or window)

Query
event.category:process and host.os.type:linux and event.type:start and event.action:(exec or exec_event) and (
 (process.name:(lsmod or modinfo)) or
 (process.name:kmod and process.args:list) or
 (process.name:depmod and process.args:(--all or -a))
) and
not (
  process.parent.name:(
    mkinitramfs or cryptroot or framebuffer or dracut or jem or thin-provisioning-tools or readykernel or lvm2 or
    vz-start or iscsi or mdadm or ovalprobes or bcache or plymouth or dkms or overlayroot or weak-modules or zfs or
    systemd or whoopsie-upload-all or kdumpctl or apport-gtk or casper or rear or kernel-install or newrelic-infra
  ) or
  process.parent.executable:/var/lib/dpkg/info/linux-modules*-generic.post*
)

Install detection rules in Elastic Security

Detect Enumeration of Kernel Modules in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).