Kernel Driver Load by non-root User

Last updated 5 months ago on 2025-01-15

Created a year ago on 2024-01-10

About

Detects the loading of a Linux kernel module by a non-root user through system calls. Threat actors may leverage Linux kernel modules to load a rootkit on a system providing them with complete control and the ability to hide from security products. As other rules monitor for the addition of Linux kernel modules through system utilities or .ko files, this rule covers the gap that evasive rootkits leverage by monitoring for kernel module additions on the lowest level through auditd_manager.

Tags

Data Source: Auditd ManagerDomain: EndpointOS: LinuxUse Case: Threat DetectionTactic: PersistenceTactic: Defense EvasionLanguage: eql

Severity

medium

Risk Score

MITRE ATT&CK™

Persistence (TA0003)(opens in a new tab or window)

↳ Boot or Logon Autostart Execution (T1547)(opens in a new tab or window)

Defense Evasion (TA0005)(opens in a new tab or window)

↳ Rootkit (T1014)(opens in a new tab or window)

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type: Event Correlation Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: logs-auditd_manager.auditd-*
Related Integrations: auditd_manager(opens in a new tab or window)
Query

driver where host.os.type == "linux" and event.action == "loaded-kernel-module" and
auditd.data.syscall in ("init_module", "finit_module") and user.id != "0"

Install detection rules in Elastic Security

Detect Kernel Driver Load by non-root User in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).