Rules: Loadable Kernel Module Enumeration
Detects commands associated with enumerations of loadable kernel modules. LKMs can be used on Linux systems to accomplish persistence by modifying the kernel to execute malicious programs at boot automatically.
Detail | Value |
---|---|
Type | Templated Match |
Category | Persistence |
Apply Risk to Entities | device_hostname, device_ip, user_username |
Signal Name | Loadable Kernel Module Enumeration |
Summary Expression | LKM enumeration detected on host: {{device_hostname}} |
Score/Severity | Static: 1 |
Enabled by Default | True |
Prototype | False |
Tags | _mitreAttackTactic:TA0003, _mitreAttackTechnique:T1547.006, _mitreAttackTactic:TA0007 |
- CrowdStrike - FDR
- Linux - Linux OS Syslog
- Linux - Sysmon for Linux
- Microsoft - Azure
- Microsoft - Windows
Origin | Field |
---|---|
Normalized Schema | commandLine |
Normalized Schema | device_hostname |
Normalized Schema | device_ip |
Normalized Schema | user_username |