Linux Auditd Unload Module Via Modprobe

Status: production
Severity: medium
Group by: argc, dest, execve_command
Author: Teoderick Contreras, Splunk
Source: github.com/splunk/security_content

The following analytic detects suspicious use of the modprobe command to unload kernel modules, which may indicate an attempt to disable critical system components or evade detection. The modprobe utility manages kernel modules, and unauthorized unloading of modules can disrupt system security features, remove logging capabilities, or conceal malicious activities. By monitoring for unusual or unauthorized modprobe operations involving module unloading, this analytic helps identify potential tampering with kernel functionality, enabling security teams to investigate and address possible threats to system integrity.

MITRE ATT&CK coverage

Tactic	Techniques
Persistence	`T1547.006` Boot or Logon Autostart Execution: Kernel Modules and Extensions
Privilege Escalation	`T1547.006` Boot or Logon Autostart Execution: Kernel Modules and Extensions

Rule body splunk

name: Linux Auditd Unload Module Via Modprobe
id: 90964d6a-4b5f-409a-85bd-95e261e03fe9
version: 10
creation_date: '2024-08-12'
modification_date: '2026-05-13'
author: Teoderick Contreras, Splunk
status: production
type: TTP
description: The following analytic detects suspicious use of the `modprobe` command to unload kernel modules, which may indicate an attempt to disable critical system components or evade detection. The `modprobe` utility manages kernel modules, and unauthorized unloading of modules can disrupt system security features, remove logging capabilities, or conceal malicious activities. By monitoring for unusual or unauthorized `modprobe` operations involving module unloading, this analytic helps identify potential tampering with kernel functionality, enabling security teams to investigate and address possible threats to system integrity.
data_source:
    - Linux Auditd Execve
search: |-
    `linux_auditd` execve_command = "*modprobe*" AND execve_command = "*-r *"
      | rename host as dest
      | rename comm as process_name
      | rename exe as process
      | stats count min(_time) as firstTime max(_time) as lastTime
        BY argc execve_command dest
      | `security_content_ctime(firstTime)`
      | `security_content_ctime(lastTime)`
      | `linux_auditd_unload_module_via_modprobe_filter`
how_to_implement: To implement this detection, the process begins by ingesting auditd data, that consists of SYSCALL, TYPE, EXECVE and PROCTITLE events, which captures command-line executions and process details on Unix/Linux systems. These logs should be ingested and processed using Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833), which is essential for correctly parsing and categorizing the data. The next step involves normalizing the field names  to match the field names set by the Splunk Common Information Model (CIM) to ensure consistency across different data sources and enhance the efficiency of data modeling. This approach enables effective monitoring and detection of linux endpoints where auditd is deployed
known_false_positives: Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives.
references:
    - https://www.splunk.com/en_us/blog/security/deep-dive-on-persistence-privilege-escalation-technique-and-detection-in-linux-platform.html
drilldown_searches:
    - name: View the detection results for - "$dest$"
      search: '%original_detection_search% | search  dest = "$dest$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$dest$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: 7d
      latest_offset: "0"
finding:
    title: A [$execve_command$] event occurred on host - [$dest$] to unload a kernel module via the modprobe command.
    entity:
        field: dest
        type: system
        score: 50
analytic_story:
    - Linux Living Off The Land
    - Linux Privilege Escalation
    - Linux Persistence Techniques
    - Compromised Linux Host
asset_type: Endpoint
mitre_attack_id:
    - T1547.006
product:
    - Splunk Enterprise
    - Splunk Enterprise Security
    - Splunk Cloud
category: endpoint
security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/linux_auditd_modprobe_unload_module/auditd_execve_modprobe.log
          source: auditd
          sourcetype: auditd
      test_type: unit

Stages and Predicates

Stage 1: `search`

`linux_auditd` execve_command = "*modprobe*" AND execve_command = "*-r *"

Stage 2: `rename`

| rename host as dest

Stage 3: `rename`

| rename comm as process_name

Stage 4: `rename`

| rename exe as process

Stage 5: `stats`

| stats count min(_time) as firstTime max(_time) as lastTime
    BY argc execve_command dest

Stage 6: `search`

| `security_content_ctime(firstTime)`

Stage 7: `search`

| `security_content_ctime(lastTime)`

Stage 8: `search`

| `linux_auditd_unload_module_via_modprobe_filter`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`execve_command`	eq	`"-r "` `"modprobe"`
`sourcetype`	eq	`auditd`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Linux Auditd Unload Module Via Modprobe

MITRE ATT&CK coverage

Rule body splunk

Stages and Predicates

Stage 1: `search`

Stage 2: `rename`

Stage 3: `rename`

Stage 4: `rename`

Stage 5: `stats`

Stage 6: `search`

Stage 7: `search`

Stage 8: `search`

Indicators

Keyboard shortcuts

Search operators

Linux Auditd Unload Module Via Modprobe

MITRE ATT&CK coverage

Rule body splunk

Stages and Predicates

Stage 1: search

Stage 2: rename

Stage 3: rename

Stage 4: rename

Stage 5: stats

Stage 6: search

Stage 7: search

Stage 8: search

Indicators

Stage 1: `search`

Stage 2: `rename`

Stage 3: `rename`

Stage 4: `rename`

Stage 5: `stats`

Stage 6: `search`

Stage 7: `search`

Stage 8: `search`