Detection rules › Splunk
Linux File Created In Kernel Driver Directory
The following analytic detects the creation of files in the Linux kernel/driver directory. It leverages filesystem data to identify new files in this critical directory. This activity is significant because the kernel/driver directory is typically reserved for kernel modules, and unauthorized file creation here can indicate a rootkit installation. If confirmed malicious, this could allow an attacker to gain high-level privileges, potentially compromising the entire system by executing code at the kernel level.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Persistence | T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions |
| Privilege Escalation | T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions |
Rule body splunk
name: Linux File Created In Kernel Driver Directory
id: b85bbeec-6326-11ec-9311-acde48001122
version: 11
creation_date: '2022-01-05'
modification_date: '2026-05-13'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
description: The following analytic detects the creation of files in the Linux kernel/driver directory. It leverages filesystem data to identify new files in this critical directory. This activity is significant because the kernel/driver directory is typically reserved for kernel modules, and unauthorized file creation here can indicate a rootkit installation. If confirmed malicious, this could allow an attacker to gain high-level privileges, potentially compromising the entire system by executing code at the kernel level.
data_source:
- Sysmon for Linux EventID 11
search: |-
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem
WHERE Filesystem.file_path IN ("*/kernel/drivers/*")
BY Filesystem.action Filesystem.dest Filesystem.file_access_time
Filesystem.file_create_time Filesystem.file_hash Filesystem.file_modify_time
Filesystem.file_name Filesystem.file_path Filesystem.file_acl
Filesystem.file_size Filesystem.process_guid Filesystem.process_id
Filesystem.user Filesystem.vendor_product
| `drop_dm_object_name(Filesystem)`
| `security_content_ctime(lastTime)`
| `security_content_ctime(firstTime)`
| `linux_file_created_in_kernel_driver_directory_filter`
how_to_implement: To successfully implement this search, you need to be ingesting logs with the file name, file path, and process_guid executions from your endpoints. If you are using Sysmon, you can use the Add-on for Linux Sysmon from Splunkbase.
known_false_positives: Administrator or network operator can create file in this folders for automation purposes. Please update the filter macros to remove false positives.
references:
- https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/kernel-module-driver-configuration/Working_with_Kernel_Modules/
- https://security.stackexchange.com/questions/175953/how-to-load-a-malicious-lkm-at-startup
- https://0x00sec.org/t/kernel-rootkits-getting-your-hands-dirty/1485
drilldown_searches:
- name: View the detection results for - "$dest$"
search: '%original_detection_search% | search dest = "$dest$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$dest$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: 7d
latest_offset: "0"
intermediate_findings:
entities:
- field: dest
type: system
score: 20
message: A file $file_name$ is created in $file_path$ on $dest$
analytic_story:
- Linux Privilege Escalation
- Linux Persistence Techniques
- Linux Rootkit
asset_type: Endpoint
mitre_attack_id:
- T1547.006
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
category: endpoint
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.006/loading_linux_kernel_module/sysmon_linux.log
source: Syslog:Linux-Sysmon/Operational
sourcetype: sysmon:linux
test_type: unit
Stages and Predicates
Stage 1: tstats
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem
WHERE Filesystem.file_path IN ("*/kernel/drivers/*")
BY Filesystem.action Filesystem.dest Filesystem.file_access_time
Filesystem.file_create_time Filesystem.file_hash Filesystem.file_modify_time
Filesystem.file_name Filesystem.file_path Filesystem.file_acl
Filesystem.file_size Filesystem.process_guid Filesystem.process_id
Filesystem.user Filesystem.vendor_product
Stage 2: search
| `drop_dm_object_name(Filesystem)`
Stage 3: search
| `security_content_ctime(lastTime)`
Stage 4: search
| `security_content_ctime(firstTime)`
Stage 5: search
| `linux_file_created_in_kernel_driver_directory_filter`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Filesystem.file_path | in |
|