kqlElastic-2.0from elastic/detection-rules
Kernel Object File Creation
Quality
92
FP risk
—
Forks
0
Views
0
Rule sourcerules/linux/persistence_kernel_object_file_creation.toml
event.category:file and host.os.type:linux and event.type:creation and file.extension:ko and
not (
file.path:(
/tmp/mkinitramfs* or /var/cache/uptrack/* or /var/tmp/dracut.* or /build/* or /var/lib/dkms/* or
/mnt/Samsung/* or /var/tmp/portage/* or /tmp/user/0/mkinitramfs* or /var/tmp/supermin* or
/mnt/img/storage/squashfs-root/* or /var/opt/eset/* or /var/tmp/mkinitramfs_*
) or
process.executable:(
"/usr/local/v3net/suarez/bin/suarez" or "/sbin/dracut" or "/opt/traps/bin/pmd" or "/usr/bin/pacman" or
"/usr/bin/containerd" or "/usr/sbin/dockerd" or "/usr/bin/dockerd" or /snap/* or
"/usr/lib/dracut/dracut-initramfs-restore" or "/sbin/unsquashfs"
) or
process.name:"cpio"
)