Elastic Security Detection Rules

Kernel Load or Unload via Kexec Detected

Last updated 2 months ago on 2025-03-20
Created 2 years ago on 2023-06-09

About

This detection rule identifies the usage of kexec, helping to uncover unauthorized kernel replacements and potential compromise of the system's integrity. Kexec is a Linux feature that enables the loading and execution of a different kernel without going through the typical boot process. Malicious actors can abuse kexec to bypass security measures, escalate privileges, establish persistence or hide their activities by loading a malicious kernel, enabling them to tamper with the system's trusted state, allowing e.g. a VM Escape.
Tags
Domain: EndpointOS: LinuxUse Case: Threat DetectionTactic: PersistenceTactic: Privilege EscalationTactic: Defense EvasionData Source: Elastic DefendData Source: Elastic EndgameData Source: Auditd ManagerData Source: CrowdstrikeData Source: SentinelOneLanguage: eql
Severity
medium
Risk Score
47
MITRE ATT&CK™

Privilege Escalation (TA0004)(opens in a new tab or window)

Escape to Host (T1611)(opens in a new tab or window)

Persistence (TA0003)(opens in a new tab or window)

Boot or Logon Autostart Execution (T1547)(opens in a new tab or window)

Defense Evasion (TA0005)(opens in a new tab or window)

Modify System Image (T1601)(opens in a new tab or window)

License
Elastic License v2(opens in a new tab or window)

Definition

Rule Type
Event Correlation Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
auditbeat-*endgame-*logs-auditd_manager.auditd-*logs-crowdstrike.fdr*logs-endpoint.events.process*logs-sentinel_one_cloud_funnel.*
Related Integrations

endpoint(opens in a new tab or window)

auditd_manager(opens in a new tab or window)

crowdstrike(opens in a new tab or window)

sentinel_one_cloud_funnel(opens in a new tab or window)

Query
process where host.os.type == "linux" and event.type == "start" and
  event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and
  process.name == "kexec" and process.args in ("--exec", "-e", "--load", "-l", "--unload", "-u") and
  not process.parent.name in ("kdumpctl", "unload.sh")

Install detection rules in Elastic Security

Detect Kernel Load or Unload via Kexec Detected in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).