<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Kernel-Module - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/kernel-module/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 09 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/kernel-module/feed.xml" rel="self" type="application/rss+xml"/><item><title>Suspicious Kernel Module Load from Unusual Location (Linux)</title><link>https://feed.craftedsignal.io/briefs/2024-01-09-kernel-module-load-from-unusual-location/</link><pubDate>Tue, 09 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-09-kernel-module-load-from-unusual-location/</guid><description>This alert detects the loading of Linux kernel modules from non-standard directories, potentially indicating malicious persistence or rootkit activity.</description><content:encoded><![CDATA[<p>This detection identifies instances where Linux kernel modules are loaded from locations outside the typical system directories (e.g., /lib/modules). Kernel modules are typically loaded from specific directories managed by the system, and loading from other locations can indicate an attempt to hide malicious code or persist unauthorized functionality within the kernel. This behavior is often associated with rootkits or advanced persistent threats (APTs) seeking to maintain a low profile on compromised systems. This detection is crucial for identifying potentially malicious kernel-level activity that bypasses normal security controls.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Initial access is achieved through exploitation of a vulnerability or compromised credentials, allowing an attacker to gain privileged access to the system.</li>
<li>The attacker uploads or compiles a malicious kernel module to a non-standard directory, such as /tmp/ or /var/tmp/.</li>
<li>Using the <code>insmod</code> or <code>modprobe</code> command, the attacker attempts to load the malicious kernel module into the running kernel.</li>
<li>The system logs an event related to the kernel module load attempt, including the path from where the module is loaded.</li>
<li>The malicious kernel module executes its intended payload, potentially hooking system calls or modifying kernel data structures.</li>
<li>The attacker leverages the loaded module for persistence, ensuring the malicious code is loaded automatically on subsequent reboots.</li>
<li>The attacker can use the module to hide processes, files, or network connections, further concealing their activity.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful attack using a malicious kernel module can result in complete system compromise. Attackers can use this technique to bypass security controls, establish persistent access, and hide their activities from standard monitoring tools. This can lead to data theft, system instability, or the deployment of ransomware. The compromised kernel can also be used to infect other systems on the network.</p>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>kernel-module</category><category>persistence</category><category>rootkit</category><category>linux</category></item></channel></rss>