Skip to content

Latest commit

 

History

History
35 lines (28 loc) · 1.3 KB

MATCH-S00745.md

File metadata and controls

35 lines (28 loc) · 1.3 KB

Rules: Loadable Kernel Module Enumeration

Description

Detects commands associated with enumerations of loadable kernel modules. LKMs can be used on Linux systems to accomplish persistence by modifying the kernel to execute malicious programs at boot automatically.

Additional Details

Detail Value
Type Templated Match
Category Persistence
Apply Risk to Entities device_hostname, device_ip, user_username
Signal Name Loadable Kernel Module Enumeration
Summary Expression LKM enumeration detected on host: {{device_hostname}}
Score/Severity Static: 1
Enabled by Default True
Prototype False
Tags _mitreAttackTactic:TA0003, _mitreAttackTechnique:T1547.006, _mitreAttackTactic:TA0007

Vendors and Products

Fields Used

Origin Field
Normalized Schema commandLine
Normalized Schema device_hostname
Normalized Schema device_ip
Normalized Schema user_username