splApache-2.0from splunk/security_content
Linux Auditd Unload Module Via Modprobe
The following analytic detects suspicious use of the `modprobe` command to unload kernel modules, which may indicate an attempt to disable critical system components or evade detection. The `modprobe` utility manages kernel modules, and unauthorized unloading of modules can disrupt system security features, remove logging capabilities, or conceal malicious activities. By monitoring for unusual or unauthorized `modprobe` operations involving module unloading, this analytic helps identify potential tampering with kernel functionality, enabling security teams to investigate and address possible threats to system integrity.
Quality
51
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/linux_auditd_unload_module_via_modprobe.yml
`linux_auditd` execve_command = "*modprobe*" AND execve_command = "*-r *"
| rename host as dest
| rename comm as process_name
| rename exe as process
| stats count min(_time) as firstTime max(_time) as lastTime
BY argc execve_command dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_auditd_unload_module_via_modprobe_filter`