Analytics Story: Linux Rootkit
Description
Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Why it matters
Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor, Master Boot Record, or System Firmware. Rootkits have been seen for Windows, Linux, and Mac OS X systems. Linux rootkits may not standout as much as a Windows rootkit, therefore understanding what kernel modules are installed today and monitoring for new is important. As with any rootkit, it may blend in using a common kernel name or variation of legitimate names.
Detections
Data Sources
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Linux Auditd Syscall |  Linux |
linux:audit |
/var/log/audit/audit.log |
| Sysmon for Linux EventID 1 | Linux |
sysmon:linux |
Syslog:Linux-Sysmon/Operational |
| Sysmon for Linux EventID 11 | Linux |
sysmon:linux |
Syslog:Linux-Sysmon/Operational |
References
- https://attack.mitre.org/techniques/T1014/
- https://content.fireeye.com/apt-41/rpt-apt41
- https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a
Source: GitHub | Version: 1