GitHub Repo

Analytics Story: Linux Rootkit

Updated Date: 2026-05-13 ID: e30f4054-ac08-4999-b8bc-5cc46886c18d Author: Michael Haag, Splunk Product: Splunk Enterprise Security

Description

Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.

Why it matters

Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor, Master Boot Record, or System Firmware. Rootkits have been seen for Windows, Linux, and Mac OS X systems. Linux rootkits may not standout as much as a Windows rootkit, therefore understanding what kernel modules are installed today and monitoring for new is important. As with any rootkit, it may blend in using a common kernel name or variation of legitimate names.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Linux Insert Kernel Module Using Insmod Utility Kernel Modules and Extensions Anomaly
Linux Auditd Insert Kernel Module Using Insmod Utility Kernel Modules and Extensions Anomaly
Linux File Created In Kernel Driver Directory Kernel Modules and Extensions Anomaly
Linux Auditd Install Kernel Module Using Modprobe Utility Kernel Modules and Extensions Anomaly
Linux Kernel Module Enumeration Rootkit, System Information Discovery Anomaly
Linux Install Kernel Module Using Modprobe Utility Kernel Modules and Extensions Anomaly
Windows Suspicious QEMU Execution Data Obfuscation, Masquerading, Malicious File, Run Virtual Instance TTP
Linux Auditd Kernel Module Enumeration Rootkit, System Information Discovery Anomaly

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
Sysmon for Linux EventID 1 Linux icon Linux sysmon:linux Syslog:Linux-Sysmon/Operational
Linux Auditd Syscall Linux icon Linux auditd auditd
Sysmon for Linux EventID 11 Linux icon Linux sysmon:linux Syslog:Linux-Sysmon/Operational
Sysmon EventID 1 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

References

Source: GitHub | Version: 2