aquasecurity
diff --git a/‎detectors/syscall_table_hooking.go‎
Lines changed: 66 additions & 0 deletions b/‎detectors/syscall_table_hooking.go‎
Lines changed: 66 additions & 0 deletions
diff --git a/‎detectors/syscall_table_hooking_test.go‎
Lines changed: 35 additions & 0 deletions b/‎detectors/syscall_table_hooking_test.go‎
Lines changed: 35 additions & 0 deletions
diff --git a/‎signatures/golang/export.go‎
Lines changed: 0 additions & 1 deletion b/‎signatures/golang/export.go‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎signatures/golang/syscall_table_hooking.go‎
Lines changed: 0 additions & 68 deletions b/‎signatures/golang/syscall_table_hooking.go‎
Lines changed: 0 additions & 68 deletions
diff --git a/‎signatures/golang/syscall_table_hooking_test.go‎
Lines changed: 0 additions & 98 deletions b/‎signatures/golang/syscall_table_hooking_test.go‎
Lines changed: 0 additions & 98 deletions
@@ -0,0 +1,66 @@
+package detectors
+
+import (
+	"context"
+
+	"github.com/aquasecurity/tracee/api/v1beta1"
+	"github.com/aquasecurity/tracee/api/v1beta1/detection"
+)
+
+func init() {
+	register(&SyscallTableHooking{})
+}
+
+// SyscallTableHooking detects syscall table hooking (rootkit behavior).
+// Origin: "*" (triggers on both host and containers - no container=started filter).
+type SyscallTableHooking struct {
+	logger detection.Logger
+}
+
+func (d *SyscallTableHooking) GetDefinition() detection.DetectorDefinition {
+	return detection.DetectorDefinition{
+		ID: "TRC-1030",
+		Requirements: detection.DetectorRequirements{
+			Events: []detection.EventRequirement{
+				{
+					Name:       "hooked_syscall",
+					Dependency: detection.DependencyRequired,
+					// Note: Origin "*" from original - no container filter
+				},
+			},
+		},
+		ProducedEvent: v1beta1.EventDefinition{
+			Name:        "syscall_hooking",
+			Description: "Syscall table hooking detected",
+			Version:     &v1beta1.Version{Major: 1, Minor: 0, Patch: 0},
+		},
+		ThreatMetadata: &v1beta1.Threat{
+			Name:        "Syscall table hooking detected",
+			Description: "Syscall table hooking detected. Syscalls (system calls) are the interface between user applications and the kernel. By hooking the syscall table an adversary gains control on certain system function, such as file writing and reading or other basic function performed by the operation system. The adversary may also hijack the execution flow and execute it's own code. Syscall table hooking is considered a malicious behavior that is performed by rootkits and may indicate that the host's kernel has been compromised. Hidden modules are marked as hidden symbol owners and indicate further malicious activity of an adversary.",
+			Severity:    v1beta1.Severity_HIGH,
+			Mitre: &v1beta1.Mitre{
+				Tactic:    &v1beta1.MitreTactic{Name: "Defense Evasion"},
+				Technique: &v1beta1.MitreTechnique{Id: "T1014", Name: "Rootkit"},
+			},
+			Properties: map[string]string{"Category": "defense-evasion"},
+		},
+		AutoPopulate: detection.AutoPopulateFields{Threat: true, DetectedFrom: true},
+	}
+}
+
+func (d *SyscallTableHooking) Init(params detection.DetectorParams) error {
+	d.logger = params.Logger
+	d.logger.Debugw("SyscallTableHooking detector initialized")
+	return nil
+}
+
+func (d *SyscallTableHooking) OnEvent(ctx context.Context, event *v1beta1.Event) ([]detection.DetectorOutput, error) {
+	// Every hooked_syscall event is a detection
+	d.logger.Debugw("Syscall table hooking detected")
+	return detection.Detected(), nil
+}
+
+func (d *SyscallTableHooking) Close() error {
+	d.logger.Debugw("SyscallTableHooking detector closed")
+	return nil
+}
@@ -0,0 +1,35 @@
+package detectors
+
+import (
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/aquasecurity/tracee/api/v1beta1"
+	"github.com/aquasecurity/tracee/api/v1beta1/detection"
+)
+
+func TestSyscallTableHooking(t *testing.T) {
+	t.Parallel()
+
+	detector := &SyscallTableHooking{}
+	err := detector.Init(detection.DetectorParams{Logger: &mockLogger{}})
+	require.NoError(t, err)
+
+	event := &v1beta1.Event{
+		Id:   v1beta1.EventId_hooked_syscall,
+		Name: "hooked_syscall",
+		Workload: &v1beta1.Workload{
+			Process: &v1beta1.Process{
+				Executable: &v1beta1.Executable{Path: "/usr/bin/test"},
+			},
+		},
+		Data: []*v1beta1.EventValue{},
+	}
+
+	output, err := detector.OnEvent(context.Background(), event)
+	require.NoError(t, err)
+	assert.Len(t, output, 1, "Expected detection for hooked_syscall event")
+}
@@ -6,7 +6,6 @@ import "github.com/aquasecurity/tracee/types/detect"
 // this is a list of signatures that this plugin exports
 var ExportedSignatures = []detect.Signature{
 	&SystemRequestKeyConfigModification{},
-	&SyscallTableHooking{},
 }
 
 // ExportedDataSources fulfills the goplugins contract required by the rule-engine
Original file line number	Diff line number	Diff line change
`@@ -6,7 +6,6 @@ import "github.com/aquasecurity/tracee/types/detect"`
`6`	`6`	`// this is a list of signatures that this plugin exports`
`7`	`7`	`var ExportedSignatures = []detect.Signature{`
`8`	`8`	`&SystemRequestKeyConfigModification{},`
`9`		`- &SyscallTableHooking{},`
`10`	`9`	`}`
`11`	`10`
`12`	`11`	`// ExportedDataSources fulfills the goplugins contract required by the rule-engine`