sigma
sigma copied to clipboard
SigmaHQ
Add rule for insert or remove rootkit
Summary of the Pull Request
Adversaries may attempt to insert/remove rootkits onto a victim host. This rule detects the use of commands such as 'insmod', 'modprobe', and 'rmmod' which are commonly used to load or remove kernel modules.
Changelog
Example Log Event
modprobe log
<Events>
<Event>
<System>
<Provider Name="Linux-Sysmon" Guid="{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"/>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2024-12-08T12:17:05.947567000Z"/>
<EventRecordID>364668</EventRecordID>
<Correlation/>
<Execution ProcessID="1252" ThreadID="1252"/>
<Channel>Linux-Sysmon/Operational</Channel>
<Computer>caldera-virtual-machine</Computer>
<Security UserId="0"/>
</System>
<EventData>
<Data Name="RuleName">-</Data>
<Data Name="UtcTime">2024-12-08 12:17:06.840</Data>
<Data Name="ProcessGuid">{36fe7a82-8e42-6755-b5e8-90b89c550000}</Data>
<Data Name="ProcessId">3071</Data>
<Data Name="Image">/usr/bin/kmod</Data>
<Data Name="FileVersion">-</Data>
<Data Name="Description">-</Data>
<Data Name="Product">-</Data>
<Data Name="Company">-</Data>
<Data Name="OriginalFileName">-</Data>
<Data Name="CommandLine">modprobe /usr/lib/modules/5.15.0-124-generic/kernel/mm/z3fos.ko</Data>
<Data Name="CurrentDirectory">/home/caldera</Data>
<Data Name="User">root</Data>
<Data Name="LogonGuid">{36fe7a82-0000-0000-0000-000000000000}</Data>
<Data Name="LogonId">0</Data>
<Data Name="TerminalSessionId">3</Data>
<Data Name="IntegrityLevel">no level</Data>
<Data Name="Hashes">SHA256=b053785f6308f16a0d3259c4f925a78b761ff5e922b2529079a579581a82cfca</Data>
<Data Name="ParentProcessGuid">{36fe7a82-8e42-6755-d5ab-c64af2550000}</Data>
<Data Name="ParentProcessId">3070</Data>
<Data Name="ParentImage">/usr/bin/sudo</Data>
<Data Name="ParentCommandLine">sudo</Data>
<Data Name="ParentUser">caldera</Data>
</EventData>
</Event>
sudo modprobe log
<Event>
<System>
<Provider Name="Linux-Sysmon" Guid="{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"/>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2024-12-08T12:17:05.907715000Z"/>
<EventRecordID>364667</EventRecordID>
<Correlation/>
<Execution ProcessID="1252" ThreadID="1252"/>
<Channel>Linux-Sysmon/Operational</Channel>
<Computer>caldera-virtual-machine</Computer>
<Security UserId="0"/>
</System>
<EventData>
<Data Name="RuleName">-</Data>
<Data Name="UtcTime">2024-12-08 12:17:06.800</Data>
<Data Name="ProcessGuid">{36fe7a82-8e42-6755-d5ab-c64af2550000}</Data>
<Data Name="ProcessId">3070</Data>
<Data Name="Image">/usr/bin/sudo</Data>
<Data Name="FileVersion">-</Data>
<Data Name="Description">-</Data>
<Data Name="Product">-</Data>
<Data Name="Company">-</Data>
<Data Name="OriginalFileName">-</Data>
<Data Name="CommandLine">sudo modprobe /usr/lib/modules/5.15.0-124-generic/kernel/mm/z3fos.ko</Data>
<Data Name="CurrentDirectory">/home/caldera</Data>
<Data Name="User">caldera</Data>
<Data Name="LogonGuid">{36fe7a82-0000-0000-e803-000000000000}</Data>
<Data Name="LogonId">1000</Data>
<Data Name="TerminalSessionId">3</Data>
<Data Name="IntegrityLevel">no level</Data>
<Data Name="Hashes">SHA256=aa14020c0639285fc2e4592eaf6a4e8e9c5fa799bc7bda3ee929a0b5593239dc</Data>
<Data Name="ParentProcessGuid">{36fe7a82-6868-6755-d5d6-c908e8550000}</Data>
<Data Name="ParentProcessId">2352</Data>
<Data Name="ParentImage">/usr/bin/bash</Data>
<Data Name="ParentCommandLine">bash</Data>
<Data Name="ParentUser">caldera</Data>
</EventData>
</Event>
rmmod log
<Event>
<System>
<Provider Name="Linux-Sysmon" Guid="{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"/>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2024-12-08T12:16:38.315031000Z"/>
<EventRecordID>364664</EventRecordID>
<Correlation/>
<Execution ProcessID="1252" ThreadID="1252"/>
<Channel>Linux-Sysmon/Operational</Channel>
<Computer>caldera-virtual-machine</Computer>
<Security UserId="0"/>
</System>
<EventData>
<Data Name="RuleName">-</Data>
<Data Name="UtcTime">2024-12-08 12:16:39.207</Data>
<Data Name="ProcessGuid">{36fe7a82-8e27-6755-b548-d921b5550000}</Data>
<Data Name="ProcessId">3066</Data>
<Data Name="Image">/usr/bin/kmod</Data>
<Data Name="FileVersion">-</Data>
<Data Name="Description">-</Data>
<Data Name="Product">-</Data>
<Data Name="Company">-</Data>
<Data Name="OriginalFileName">-</Data>
<Data Name="CommandLine">rmmod /usr/lib/modules/5.15.0-124-generic/kernel/mm/z3fos.ko</Data>
<Data Name="CurrentDirectory">/home/caldera</Data>
<Data Name="User">root</Data>
<Data Name="LogonGuid">{36fe7a82-0000-0000-0000-000000000000}</Data>
<Data Name="LogonId">0</Data>
<Data Name="TerminalSessionId">3</Data>
<Data Name="IntegrityLevel">no level</Data>
<Data Name="Hashes">SHA256=b053785f6308f16a0d3259c4f925a78b761ff5e922b2529079a579581a82cfca</Data>
<Data Name="ParentProcessGuid">{36fe7a82-8e27-6755-d54b-9ca1cd550000}</Data>
<Data Name="ParentProcessId">3065</Data>
<Data Name="ParentImage">/usr/bin/sudo</Data>
<Data Name="ParentCommandLine">sudo</Data>
<Data Name="ParentUser">caldera</Data>
</EventData>
</Event>
insmod log
<Event>
<System>
<Provider Name="Linux-Sysmon" Guid="{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"/>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2024-12-08T12:16:27.953174000Z"/>
<EventRecordID>364662</EventRecordID>
<Correlation/>
<Execution ProcessID="1252" ThreadID="1252"/>
<Channel>Linux-Sysmon/Operational</Channel>
<Computer>caldera-virtual-machine</Computer>
<Security UserId="0"/>
</System>
<EventData>
<Data Name="RuleName">-</Data>
<Data Name="UtcTime">2024-12-08 12:16:28.845</Data>
<Data Name="ProcessGuid">{36fe7a82-8e1c-6755-b508-7ecc18560000}</Data>
<Data Name="ProcessId">3064</Data>
<Data Name="Image">/usr/bin/kmod</Data>
<Data Name="FileVersion">-</Data>
<Data Name="Description">-</Data>
<Data Name="Product">-</Data>
<Data Name="Company">-</Data>
<Data Name="OriginalFileName">-</Data>
<Data Name="CommandLine">insmod /usr/lib/modules/5.15.0-124-generic/kernel/mm/z3fold.ko</Data>
<Data Name="CurrentDirectory">/home/caldera</Data>
<Data Name="User">root</Data>
<Data Name="LogonGuid">{36fe7a82-0000-0000-0000-000000000000}</Data>
<Data Name="LogonId">0</Data>
<Data Name="TerminalSessionId">3</Data>
<Data Name="IntegrityLevel">no level</Data>
<Data Name="Hashes">SHA256=b053785f6308f16a0d3259c4f925a78b761ff5e922b2529079a579581a82cfca</Data>
<Data Name="ParentProcessGuid">{36fe7a82-8e1b-6755-d5fb-2b2498550000}</Data>
<Data Name="ParentProcessId">3062</Data>
<Data Name="ParentImage">/usr/bin/sudo</Data>
<Data Name="ParentCommandLine">sudo</Data>
<Data Name="ParentUser">caldera</Data>
</EventData>
</Event>
</Events>
Fixed Issues
SigmaHQ Rule Creation Conventions
- If your PR adds new rules, please consider following and applying these conventions
I faced an error that says, 'Rule has a title with invalid case.' I tried many keywords but couldn't pass it. Could you suggest a good title for it, or provide a list of blacklisted words for the title?
From the test result https://github.com/SigmaHQ/sigma/actions/runs/12250758661/job/34174271371#step:5:36
