splApache-2.0from splunk/security_content
Linux Auditd Kernel Module Using Rmmod Utility
The following analytic detects suspicious use of the `rmmod` utility for kernel module removal, which may indicate an attacker attempt to unload critical or security-related kernel modules. The `rmmod` command is used to remove modules from the Linux kernel, and unauthorized use can be a tactic to disable security features, conceal malicious activities, or disrupt system operations. By monitoring for unusual or unauthorized `rmmod` activity, this analytic helps identify potential tampering with kernel modules, enabling security teams to take proactive measures to protect system integrity and security.
Quality
67
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/linux_auditd_kernel_module_using_rmmod_utility.yml
`linux_auditd` type=SYSCALL comm=rmmod
| rename host as dest
| stats count min(_time) as firstTime max(_time) as lastTime
BY comm exe syscall
uid ppid pid
success dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_auditd_kernel_module_using_rmmod_utility_filter`