Name:Linux File Created In Kernel Driver Directory id:b85bbeec-6326-11ec-9311-acde48001122 version:3 date:2024-09-30 author:Teoderick Contreras, Splunk status:production type:Anomaly Description:The following analytic detects the creation of files in the Linux kernel/driver directory. It leverages filesystem data to identify new files in this critical directory. This activity is significant because the kernel/driver directory is typically reserved for kernel modules, and unauthorized file creation here can indicate a rootkit installation. If confirmed malicious, this could allow an attacker to gain high-level privileges, potentially compromising the entire system by executing code at the kernel level. Data_source:
-Sysmon for Linux EventID 11
search:| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*/kernel/drivers/*") by Filesystem.dest Filesystem.file_name Filesystem.process_guid Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `linux_file_created_in_kernel_driver_directory_filter`
how_to_implement:To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase. known_false_positives:Administrator or network operator can create file in this folders for automation purposes. Please update the filter macros to remove false positives. References: -https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/kernel-module-driver-configuration/Working_with_Kernel_Modules/ -https://security.stackexchange.com/questions/175953/how-to-load-a-malicious-lkm-at-startup -https://0x00sec.org/t/kernel-rootkits-getting-your-hands-dirty/1485 drilldown_searches: name:'View the detection results for - "$dest$"' search:'%original_detection_search% | search dest = "$dest$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$dest$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Linux Privilege Escalation' - 'Linux Persistence Techniques' - 'Linux Rootkit' asset_type:Endpoint confidence:90 impact:80 message:A file $file_name$ is created in $file_path$ on $dest$ mitre_attack_id: - 'T1547.006' - 'T1547' observable: name:'dest' type:'Hostname' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'Filesystem.dest' - 'Filesystem.file_create_time' - 'Filesystem.file_name' - 'Filesystem.process_guid' - 'Filesystem.file_path' risk_score:72 security_domain:endpoint
