Add nursery rules for Linux kernel rootkit techniques#1136
Add nursery rules for Linux kernel rootkit techniques#1136aryanyk wants to merge 2 commits intomandiant:masterfrom
Conversation
mike-hunhoff
left a comment
mike-hunhoff
left a comment
There was a problem hiding this comment.
Thanks @aryanyk , I've left comments for your review.
| static: function | ||
| dynamic: call | ||
| att&ck: | ||
| - Defense Evasion::Impair Defenses [T1562] |
There was a problem hiding this comment.
Please explain why this is a good fit.
There was a problem hiding this comment.
Registering Netfilter hooks allows a kernel module to intercept, inspect, or modify network traffic at different stages of the networking stack. Malicious kernel modules and rootkits often use this capability to hide network activity or manipulate packets, which aligns with ATT&CK technique T1562 (Impair Defenses).
| static: function | ||
| dynamic: call | ||
| att&ck: | ||
| - Privilege Escalation::Exploitation for Privilege Escalation [T1068] |
There was a problem hiding this comment.
Please explain how this is a good fit.
There was a problem hiding this comment.
This technique maps well to ATT&CK T1068 (Exploitation for Privilege Escalation) because Linux kernel rootkits commonly elevate privileges by creating a new credential structure with prepare_kernel_cred and applying it using commit_creds, effectively granting root privileges to the current process.
There was a problem hiding this comment.
please use your own personal knowledge, analysis and words. we all have access to LLM-based tools, so when we respond to you, we're not asking you to ask the LLM.
3 participants
Fixes #998
Description
This PR adds two new nursery rules for detecting Linux kernel rootkit techniques.
The first rule detects privilege escalation patterns commonly used in Linux kernel rootkits where elevated credentials are created using
prepare_kernel_credand applied viacommit_creds.The second rule detects registration of Netfilter hooks through
nf_register_net_hookornf_register_hook, which can be used by kernel modules to intercept or modify network traffic.Both rules target Linux kernel module behavior that may indicate rootkit activity.
Rules Added
escalate privileges via commit_creds on Linux
Detects the use of the
prepare_kernel_cred→commit_credsAPI pattern frequently used by kernel rootkits to escalate privileges.register Netfilter hook on Linux
Detects the registration of Netfilter hooks (
nf_register_net_hookornf_register_hook) that may be used to inspect or manipulate packet flow.Testing
The rules were validated using the capa linting utilities.
Commands used:
Both rules pass lint checks.
Examples are not included yet, so the rules remain in the nursery directory.
References
AI Usage
AI tools were used to assist with drafting rule descriptions and refining rule structure. All rule logic and validation steps were reviewed and tested manually.