← Library
kqlElastic-2.0from elastic/detection-rules

Network Activity Detected via Kworker

Quality
92
FP risk
Forks
0
Views
0
ATT&CK techniques
T1014T1036T1036.004T1041
Rule sourcerules/linux/command_and_control_linux_kworker_netcon.toml
host.os.type:linux and event.category:network and event.action:(connection_attempted or connection_accepted) and
process.name:kworker* and not destination.ip:(
  10.0.0.0/8 or
  127.0.0.0/8 or
  169.254.0.0/16 or
  172.16.0.0/12 or
  192.168.0.0/16 or
  224.0.0.0/4 or
  "::1" or
  "FE80::/10" or
  "FF00::/8" or
  "0.0.0.0"
) and not destination.port:("2049" or "111" or "892" or "597")