IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Suspicious JetBrains TeamCity Child Process Suspicious Kworker UID Elevation »

› › ›

Suspicious Kernel Feature Activity

edit

IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Suspicious Kernel Feature Activity

edit

This rule detects the modification and reading of kernel features through built-in commands. Attackers may collect information, disable or weaken Linux kernel protections. For example, an attacker may modify ASLR protection by disabling kernel.randomize_va_space, allow ptrace by setting kernel.yama.ptrace_scope to 0, or disable the NMI watchdog by setting kernel.nmi_watchdog to 0. These changes may be used to impair defenses and evade detection.

Rule type: eql

Rule indices:

logs-endpoint.events.process*

Severity: low

Risk score: 21

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References: None

Tags:

Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Discovery
Data Source: Elastic Defend

Version: 1

Rule authors:

Elastic

Rule license: Elastic License v2

Rule query

edit

process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
process.command_line : (
  "*/etc/sysctl.conf*", "*/etc/sysctl.d/*", "*/proc/sys/kernel/nmi_watchdog*",
  "*/proc/sys/vm/nr_hugepages*", "*/proc/sys/kernel/yama/ptrace_scope*",
  "*/proc/sys/kernel/randomize_va_space*", "*/proc/sys/vm/drop_caches*",
  "*/proc/sys/kernel/sysrq*", "*grsecurity*", "*exec-shield*",
  "*kernel.randomize_va_space*", "*kernel.yama.ptrace_scope*",
  "*kernel.nmi_watchdog*", "*vm.nr_hugepages*", "*vm.drop_caches*",
  "*kernel.sysrq*"
) and
process.parent.executable != null and
(
  (process.name == "tee" and process.args like "-*a*") or // also detects --append
  (process.name == "cat" and not process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")) or
  (process.name == "grep" and process.args_count == 3 and not process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")) or
  (process.name == "sysctl" and process.args like ("*-w*", "*--write*", "*=*")) or
  (process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and process.args == "-c" and process.args : "*echo *")
)

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
Technique:
- Name: Impair Defenses
- ID: T1562
- Reference URL: https://attack.mitre.org/techniques/T1562/
Sub-technique:
- Name: Indicator Blocking
- ID: T1562.006
- Reference URL: https://attack.mitre.org/techniques/T1562/006/
Technique:
- Name: Subvert Trust Controls
- ID: T1553
- Reference URL: https://attack.mitre.org/techniques/T1553/
Tactic:
- Name: Discovery
- ID: TA0007
- Reference URL: https://attack.mitre.org/tactics/TA0007/
Technique:
- Name: System Information Discovery
- ID: T1082
- Reference URL: https://attack.mitre.org/techniques/T1082/

« Suspicious JetBrains TeamCity Child Process Suspicious Kworker UID Elevation »