Kernel rootkit installation attack

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1547-boot-or-logon-autostart-execution

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect kernel rootkit installation by correlating multiple indicators of kernel-level compromise within the same execution context.

Strategy

This correlation rule identifies kernel rootkit activity by detecting specific combinations of the following activity groups:

  • Kernel Module Modification: File operations on kernel modules, including chmod, chown, link, open, rename, unlink, and timestamp modifications within kernel module directories
  • Kernel Module Loading: Loading of kernel modules from disk or memory, including container-specific module loading operations
  • Development Environment: Installation of kernel headers, compiler usage in containers, or compilation activity following file delivery, which indicate potential rootkit development and compilation
  • Stealth and Discovery: Process masquerading via kernel thread naming or prctl, and kernel module enumeration using lsmod or kmod

The rule triggers different severity levels based on the combination of detected activities:

CaseSeverityRequired Components
Advanced Kernel RootkitCriticalModule Modification + Module Loading + Development Environment + Stealth/Discovery
Kernel Module Installation (Interactive)HighModule Modification + Module Loading (interactive session)
Rootkit Development Activity (Interactive)HighDevelopment Environment + Module Loading (interactive session)
Kernel Module InstallationMediumModule Modification + Module Loading
Rootkit Development ActivityMediumDevelopment Environment + Module Loading
Kernel ReconnaissanceMediumStealth/Discovery + Module Modification

Triage & Response

  1. Isolate immediately: Isolate the affected host. To preserve memory evidence, DO NOT REBOOT .

  2. Examine kernel modules: Review currently loaded modules with lsmod and compare against baseline to identify unauthorized modules.

  3. Investigate modified files: Analyze kernel module files that were modified in /lib/modules/ or similar paths.

  4. Check development activity: Review compilation activity, kernel header installations, and build artifacts that may indicate rootkit compilation.

  5. Analyze stealth techniques: Investigate process masquerading and kernel-level hiding mechanisms including processes mimicking kernel thread names.

  6. Perform memory forensics: Capture memory dumps and analyze for rootkit artifacts before any remediation.

  7. Check for persistence: Review boot configurations, initramfs, and module loading configurations for persistence mechanisms.

  8. Boot from external media: Use clean boot environment for forensic analysis and rootkit detection tools.

  9. Rebuild system: Restore from known-good images with kernel module signing and secure boot enabled.