[New Hunt & Tuning] Persistence via LKMs

Author: Aegrah

hunting/index.md

@@ -40,6 +40,7 @@ Here are the queries currently available:
 - [OSQuery SUID Hunting](./linux/docs/privilege_escalation_via_suid_binaries.md) (ES|QL)
 - [Persistence Through Reverse/Bind Shells](./linux/docs/persistence_reverse_bind_shells.md) (ES|QL)
 - [Persistence via Cron](./linux/docs/persistence_via_cron.md) (ES|QL)
+- [Persistence via Loadable Kernel Modules](./linux/docs/persistence_via_loadable_kernel_modules.md) (ES|QL)
 - [Persistence via Message-of-the-Day](./linux/docs/persistence_via_message_of_the_day.md) (ES|QL)
 - [Persistence via Package Manager](./linux/docs/persistence_via_package_manager.md) (ES|QL)
 - [Persistence via SSH Configurations and/or Keys](./linux/docs/persistence_via_ssh_configurations_and_keys.md) (ES|QL)

hunting/index.yml

@@ -220,6 +220,11 @@ linux:
     mitre:
     - T1037.004
     - T1546.003
+  d667d328-fadc-4a52-9b46-f42b1a83181c:
+    name: Persistence via Loadable Kernel Modules
+    path: ./linux/queries/persistence_via_loadable_kernel_modules.toml
+    mitre:
+    - T1547.006
 okta:
   0b936024-71d9-11ef-a9be-f661ea17fbcc:
     name: Failed OAuth Access Token Retrieval via Public Client App

hunting/linux/docs/persistence_via_driver_load_with_low_occurrence_frequency.md

@@ -16,11 +16,13 @@
 
 ```sql
 from logs-auditd_manager.auditd-*, logs-auditd.log-*, auditbeat-*
+| keep @timestamp, host.os.type, event.category, event.action, auditd.data.syscall, auditd.data.name, process.executable, process.name, agent.id
 | where @timestamp > now() - 30 day
 | where host.os.type == "linux" and event.category == "driver" and event.action == "loaded-kernel-module" and auditd.data.syscall in ("init_module", "finit_module")
-| stats host_count = count_distinct(host.id), total_count = count(*) by auditd.data.name, process.executable, process.name
+// Process name is different from executable in some cases
+| stats agent_count = count_distinct(agent.id), total_count = count(*) by auditd.data.name, process.executable, process.name
 // Alter this threshold to make sense for your environment
-| where host_count == 1 and total_count == 1
+| where agent_count == 1 and total_count <= 3
 | limit 100
 | sort auditd.data.name asc
 ```

hunting/linux/docs/persistence_via_loadable_kernel_modules.md

@@ -0,0 +1,89 @@
+# Persistence via Loadable Kernel Modules
+
+---
+
+## Metadata
+
+- **Author:** Elastic
+- **Description:** This hunt identifies potential persistence mechanisms leveraging Loadable Kernel Modules (LKMs) on Linux systems. LKMs enable dynamic extension of kernel functionality but can be abused by attackers to load malicious code into the kernel, granting them high privileges or persistence. This hunt monitors suspicious kernel module file creations, LKM-related process executions, and access to kernel module configuration files.
+
+- **UUID:** `d667d328-fadc-4a52-9b46-f42b1a83181c`
+- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint)
+- **Language:** `[ES|QL, SQL]`
+- **Source File:** [Persistence via Loadable Kernel Modules](../queries/persistence_via_loadable_kernel_modules.toml)
+
+## Query
+
+```sql
+from logs-endpoint.events.file-*
+| keep @timestamp, host.os.type, event.type, event.action, file.extension, file.path, process.executable, agent.id
+| where @timestamp > now() - 30 day
+| where host.os.type == "linux" and event.type == "creation" and file.extension == "ko" and not (
+  // Add your exclusions here
+  file.path like "/run/initramfs/*" or
+  file.path like "/var/tmp/mkinitramfs*"
+)
+| stats cc = count(), agent_count = count_distinct(agent.id) by file.path, process.executable
+| where agent_count <= 3
+| sort cc asc
+| limit 100
+```
+
+```sql
+from logs-endpoint.events.process-*
+| keep @timestamp, host.os.type, event.type, event.action, process.name, agent.id, process.args, process.args_count
+| where @timestamp > now() - 30 days
+| where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name in ("kmod", "modprobe", "insmod", "rmmod")
+| stats cc = count(), agent_count = count_distinct(agent.id) by process.args, process.args_count
+| where cc == 1 and agent_count == 1 and process.args_count <= 3
+| sort cc asc
+| limit 100
+```
+
+```sql
+SELECT
+    f.filename,
+    f.path,
+    u.username AS file_owner,
+    g.groupname AS group_owner,
+    datetime(f.atime, 'unixepoch') AS file_last_access_time,
+    datetime(f.mtime, 'unixepoch') AS file_last_modified_time,
+    datetime(f.ctime, 'unixepoch') AS file_last_status_change_time
+    datetime(f.btime, 'unixepoch') AS file_created_time,
+    f.size AS size_bytes
+FROM
+    file f
+LEFT JOIN
+    users u ON f.uid = u.uid
+LEFT JOIN
+    groups g ON f.gid = g.gid
+WHERE
+    f.path LIKE '/etc/modprobe.d/%'
+    OR f.path LIKE '/usr/lib/modprobe.d/%'
+    OR f.path LIKE '/usr/lib/security/%'
+    OR f.path LIKE '/etc/modules-load.d/%'
+    OR f.path LIKE '/run/modules-load.d/%'
+    OR f.path LIKE '/usr/local/lib/modules-load.d/%'
+    OR f.path like '/usr/lib/modules-load.d/%'
+    OR f.path = '/etc/modules'
+```
+
+```sql
+SELECT * FROM kernel_modules;
+```
+
+## Notes
+
+- Tracks the creation of loadable kernel module files (.ko) in non-standard directories to identify potential malicious modules.
+- Monitors the execution of processes related to kernel module management, such as kmod, modprobe, insmod, and rmmod, to detect suspicious or unusual activity.
+- Identifies changes to critical kernel module configuration files, including /etc/modprobe.d/, /etc/modules, and related paths.
+- Uses OSQuery queries to gather detailed metadata on kernel modules currently loaded, supporting forensic analysis of potential persistence mechanisms.
+- Provides statistics and counts to help identify rare or anomalous kernel module-related events.
+
+## MITRE ATT&CK Techniques
+
+- [T1547.006](https://attack.mitre.org/techniques/T1547/006)
+
+## License
+
+- `Elastic License v2`

hunting/linux/queries/persistence_via_driver_load_with_low_occurrence_frequency.toml

@@ -18,11 +18,13 @@ mitre = ["T1547.006", "T1069.002"]
 query = [
 '''
 from logs-auditd_manager.auditd-*, logs-auditd.log-*, auditbeat-*
+| keep @timestamp, host.os.type, event.category, event.action, auditd.data.syscall, auditd.data.name, process.executable, process.name, agent.id
 | where @timestamp > now() - 30 day
 | where host.os.type == "linux" and event.category == "driver" and event.action == "loaded-kernel-module" and auditd.data.syscall in ("init_module", "finit_module")
-| stats host_count = count_distinct(host.id), total_count = count(*) by auditd.data.name, process.executable, process.name
+// Process name is different from executable in some cases
+| stats agent_count = count_distinct(agent.id), total_count = count(*) by auditd.data.name, process.executable, process.name
 // Alter this threshold to make sense for your environment
-| where host_count == 1 and total_count == 1
+| where agent_count == 1 and total_count <= 3
 | limit 100
 | sort auditd.data.name asc
 '''

hunting/linux/queries/persistence_via_loadable_kernel_modules.toml

@@ -0,0 +1,75 @@
+[hunt]
+author = "Elastic"
+description = """
+This hunt identifies potential persistence mechanisms leveraging Loadable Kernel Modules (LKMs) on Linux systems. LKMs enable dynamic extension of kernel functionality but can be abused by attackers to load malicious code into the kernel, granting them high privileges or persistence. This hunt monitors suspicious kernel module file creations, LKM-related process executions, and access to kernel module configuration files.
+"""
+integration = ["endpoint"]
+uuid = "d667d328-fadc-4a52-9b46-f42b1a83181c"
+name = "Persistence via Loadable Kernel Modules"
+language = ["ES|QL", "SQL"]
+license = "Elastic License v2"
+notes = [
+    "Tracks the creation of loadable kernel module files (.ko) in non-standard directories to identify potential malicious modules.",
+    "Monitors the execution of processes related to kernel module management, such as kmod, modprobe, insmod, and rmmod, to detect suspicious or unusual activity.",
+    "Identifies changes to critical kernel module configuration files, including /etc/modprobe.d/, /etc/modules, and related paths.",
+    "Uses OSQuery queries to gather detailed metadata on kernel modules currently loaded, supporting forensic analysis of potential persistence mechanisms.",
+    "Provides statistics and counts to help identify rare or anomalous kernel module-related events."
+]
+mitre = ["T1547.006"]
+
+query = [
+'''
+from logs-endpoint.events.file-*
+| keep @timestamp, host.os.type, event.type, event.action, file.extension, file.path, process.executable, agent.id
+| where @timestamp > now() - 30 day
+| where host.os.type == "linux" and event.type == "creation" and file.extension == "ko" and not (
+  // Add your exclusions here
+  file.path like "/run/initramfs/*" or
+  file.path like "/var/tmp/mkinitramfs*"
+)
+| stats cc = count(), agent_count = count_distinct(agent.id) by file.path, process.executable
+| where agent_count <= 3
+| sort cc asc
+| limit 100
+''',
+'''
+from logs-endpoint.events.process-*
+| keep @timestamp, host.os.type, event.type, event.action, process.name, agent.id, process.args, process.args_count
+| where @timestamp > now() - 30 days
+| where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name in ("kmod", "modprobe", "insmod", "rmmod")
+| stats cc = count(), agent_count = count_distinct(agent.id) by process.args, process.args_count
+| where cc == 1 and agent_count == 1 and process.args_count <= 3
+| sort cc asc
+| limit 100
+''',
+'''
+SELECT
+    f.filename,
+    f.path,
+    u.username AS file_owner,
+    g.groupname AS group_owner,
+    datetime(f.atime, 'unixepoch') AS file_last_access_time,
+    datetime(f.mtime, 'unixepoch') AS file_last_modified_time,
+    datetime(f.ctime, 'unixepoch') AS file_last_status_change_time
+    datetime(f.btime, 'unixepoch') AS file_created_time,
+    f.size AS size_bytes
+FROM
+    file f
+LEFT JOIN
+    users u ON f.uid = u.uid
+LEFT JOIN
+    groups g ON f.gid = g.gid
+WHERE
+    f.path LIKE '/etc/modprobe.d/%'
+    OR f.path LIKE '/usr/lib/modprobe.d/%'
+    OR f.path LIKE '/usr/lib/security/%'
+    OR f.path LIKE '/etc/modules-load.d/%'
+    OR f.path LIKE '/run/modules-load.d/%'
+    OR f.path LIKE '/usr/local/lib/modules-load.d/%'
+    OR f.path like '/usr/lib/modules-load.d/%'
+    OR f.path = '/etc/modules'
+''',
+'''
+SELECT * FROM kernel_modules;
+'''
+]