← Library
splApache-2.0from splunk/security_content

Linux Auditd Kernel Module Enumeration

The following analytic identifies the use of the 'kmod' process to list kernel modules on a Linux system. This detection leverages data from Linux Auditd, focusing on process names and command-line executions. While listing kernel modules is not inherently malicious, it can be a precursor to loading unauthorized modules using 'insmod'. If confirmed malicious, this activity could allow an attacker to load kernel modules, potentially leading to privilege escalation, persistence, or other malicious actions within the system.

Quality
67
FP risk
Forks
0
Views
0
Rule sourcedetections/endpoint/linux_auditd_kernel_module_enumeration.yml
`linux_auditd` type=SYSCALL comm=lsmod
  | rename host as dest
  | stats count min(_time) as firstTime max(_time) as lastTime
    BY comm exe syscall
       uid ppid pid
       success dest
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)`
  | `linux_auditd_kernel_module_enumeration_filter`