{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/kernel-ring-buffer/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Elastic Defend","Elastic Endgame"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","kernel-ring-buffer","linux"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection rule identifies attempts to clear the kernel ring buffer on Linux systems, a tactic often employed by attackers to evade detection after installing malicious Linux Kernel Modules (LKMs). The kernel ring buffer stores system messages, including those related to LKM installation and activity. By clearing this buffer using the \u003ccode\u003edmesg\u003c/code\u003e command with specific arguments, attackers aim to remove traces of their activities, hindering forensic investigations and incident response. This technique is often associated with intrusions leveraging kernel-level rootkits to maintain persistence on compromised hosts. The rule monitors for the execution of the \u003ccode\u003edmesg\u003c/code\u003e command with arguments used to clear the buffer, providing a high-fidelity signal of potential defense evasion.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the Linux system, potentially through exploiting a vulnerability or using compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to root, if necessary, to perform kernel-level operations.\u003c/li\u003e\n\u003cli\u003eThe attacker installs a malicious Linux Kernel Module (LKM) to establish persistence or perform other malicious activities.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the \u003ccode\u003edmesg\u003c/code\u003e command with the \u003ccode\u003e-c\u003c/code\u003e, \u003ccode\u003e-C\u003c/code\u003e, \u003ccode\u003e--clear\u003c/code\u003e, or \u003ccode\u003e--read-clear\u003c/code\u003e arguments. This command clears the kernel ring buffer, removing recent system messages.\u003c/li\u003e\n\u003cli\u003eThe system logs record the execution of the \u003ccode\u003edmesg\u003c/code\u003e command.\u003c/li\u003e\n\u003cli\u003eThe attacker may further tamper with other logs or system configurations to eliminate additional evidence of their presence.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistent access through the installed LKM, potentially performing data exfiltration or other malicious activities.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s objective is to maintain a hidden presence and continue malicious activities without detection.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful clearing of the kernel ring buffer can significantly hinder incident response efforts. It can obscure the installation and activities of malicious LKMs, making it difficult to identify the root cause of a compromise and assess the extent of the damage. This evasion tactic allows attackers to maintain a persistent presence on the compromised system, potentially leading to long-term data theft, system disruption, or other malicious outcomes.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM to detect attempts to clear the kernel ring buffer via \u003ccode\u003edmesg\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rules, focusing on the user account and processes involved.\u003c/li\u003e\n\u003cli\u003eMonitor for the installation and modification of Linux kernel modules (LKMs) to detect unauthorized kernel-level changes.\u003c/li\u003e\n\u003cli\u003eReview and update access controls and permissions to limit the ability to execute commands like \u003ccode\u003edmesg -c\u003c/code\u003e to authorized users only.\u003c/li\u003e\n\u003cli\u003eEnable Elastic Defend, Elastic Endgame, Auditd Manager, Crowdstrike, and SentinelOne data ingestion to enable the detection rule from the source advisory.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-01T12:06:39Z","date_published":"2026-06-01T12:06:39Z","id":"https://feed.craftedsignal.io/briefs/2026-06-clear-kernel-ring-buffer/","summary":"The rule detects attempts to clear the kernel ring buffer on Linux systems using the `dmesg` command with options like `-c`, `-C`, `--clear`, or `--read-clear` to evade detection.","title":"Attempt to Clear Kernel Ring Buffer via dmesg","url":"https://feed.craftedsignal.io/briefs/2026-06-clear-kernel-ring-buffer/"}],"language":"en","title":"CraftedSignal Threat Feed — Kernel-Ring-Buffer","version":"https://jsonfeed.org/version/1.1"}