{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/kernel-module/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Kernel"],"_cs_severities":["high"],"_cs_tags":["kernel-module","persistence","rootkit","linux"],"_cs_type":"advisory","_cs_vendors":["Linux"],"content_html":"\u003cp\u003eThis detection identifies instances where Linux kernel modules are loaded from locations outside the typical system directories (e.g., /lib/modules). Kernel modules are typically loaded from specific directories managed by the system, and loading from other locations can indicate an attempt to hide malicious code or persist unauthorized functionality within the kernel. This behavior is often associated with rootkits or advanced persistent threats (APTs) seeking to maintain a low profile on compromised systems. This detection is crucial for identifying potentially malicious kernel-level activity that bypasses normal security controls.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is achieved through exploitation of a vulnerability or compromised credentials, allowing an attacker to gain privileged access to the system.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads or compiles a malicious kernel module to a non-standard directory, such as /tmp/ or /var/tmp/.\u003c/li\u003e\n\u003cli\u003eUsing the \u003ccode\u003einsmod\u003c/code\u003e or \u003ccode\u003emodprobe\u003c/code\u003e command, the attacker attempts to load the malicious kernel module into the running kernel.\u003c/li\u003e\n\u003cli\u003eThe system logs an event related to the kernel module load attempt, including the path from where the module is loaded.\u003c/li\u003e\n\u003cli\u003eThe malicious kernel module executes its intended payload, potentially hooking system calls or modifying kernel data structures.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the loaded module for persistence, ensuring the malicious code is loaded automatically on subsequent reboots.\u003c/li\u003e\n\u003cli\u003eThe attacker can use the module to hide processes, files, or network connections, further concealing their activity.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack using a malicious kernel module can result in complete system compromise. Attackers can use this technique to bypass security controls, establish persistent access, and hide their activities from standard monitoring tools. This can lead to data theft, system instability, or the deployment of ransomware. The compromised kernel can also be used to infect other systems on the network.\u003c/p\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-09-kernel-module-load-from-unusual-location/","summary":"This alert detects the loading of Linux kernel modules from non-standard directories, potentially indicating malicious persistence or rootkit activity.","title":"Suspicious Kernel Module Load from Unusual Location (Linux)","url":"https://feed.craftedsignal.io/briefs/2024-01-09-kernel-module-load-from-unusual-location/"}],"language":"en","title":"CraftedSignal Threat Feed - Kernel-Module","version":"https://jsonfeed.org/version/1.1"}