MEDIUM
Source
Tracee
ID
TRC-1017
Version
1
Date
11 Mar 2024

Kernel Module Loading Detected

Loading of a kernel module was detected. Kernel modules are binaries meant to run in the kernel. Adversaries may try and load kernel modules to extend their capabilities and avoid detection by running in the kernel and not user space.

MITRE ATT&CK

Persistence: Kernel Modules and Extensions

Go Source

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
package main

import (
	"fmt"

	"github.com/aquasecurity/tracee/signatures/helpers"
	"github.com/aquasecurity/tracee/types/detect"
	"github.com/aquasecurity/tracee/types/protocol"
	"github.com/aquasecurity/tracee/types/trace"
)

type KernelModuleLoading struct {
	cb detect.SignatureHandler
}

func (sig *KernelModuleLoading) Init(ctx detect.SignatureContext) error {
	sig.cb = ctx.Callback
	return nil
}

func (sig *KernelModuleLoading) GetMetadata() (detect.SignatureMetadata, error) {
	return detect.SignatureMetadata{
		ID:          "TRC-1017",
		Version:     "1",
		Name:        "Kernel module loading detected",
		EventName:   "kernel_module_loading",
		Description: "Loading of a kernel module was detected. Kernel modules are binaries meant to run in the kernel. Adversaries may try and load kernel modules to extend their capabilities and avoid detection by running in the kernel and not user space.",
		Properties: map[string]interface{}{
			"Severity":             2,
			"Category":             "persistence",
			"Technique":            "Kernel Modules and Extensions",
			"Kubernetes_Technique": "",
			"id":                   "attack-pattern--a1b52199-c8c5-438a-9ded-656f1d0888c6",
			"external_id":          "T1547.006",
		},
	}, nil
}

func (sig *KernelModuleLoading) GetSelectedEvents() ([]detect.SignatureEventSelector, error) {
	return []detect.SignatureEventSelector{
		{Source: "tracee", Name: "init_module", Origin: "*"},
		{Source: "tracee", Name: "security_kernel_read_file", Origin: "*"},
	}, nil
}

func (sig *KernelModuleLoading) OnEvent(event protocol.Event) error {
	eventObj, ok := event.Payload.(trace.Event)
	if !ok {
		return fmt.Errorf("invalid event")
	}

	switch eventObj.EventName {
	case "init_module":
		metadata, err := sig.GetMetadata()
		if err != nil {
			return err
		}
		sig.cb(&detect.Finding{
			SigMetadata: metadata,
			Event:       event,
			Data:        nil,
		})
	case "security_kernel_read_file":
		loadedType, err := helpers.GetTraceeStringArgumentByName(eventObj, "type")
		if err != nil {
			return err
		}

		if loadedType == "kernel-module" {
			metadata, err := sig.GetMetadata()
			if err != nil {
				return err
			}
			sig.cb(&detect.Finding{
				SigMetadata: metadata,
				Event:       event,
				Data:        nil,
			})
		}
	}

	return nil
}

func (sig *KernelModuleLoading) OnSignal(s detect.Signal) error {
	return nil
}
func (sig *KernelModuleLoading) Close() {}