IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Stolen Credentials Used to Login to Okta Account After MFA Reset Suspicious Kworker UID Elevation »

› ›

Suspicious File Creation via Kworker

edit

Suspicious File Creation via Kworker

edit

This rule monitors for a file creation event originating from a kworker parent process. kworker, or kernel worker, processes are part of the kernel’s workqueue mechanism. They are responsible for executing work that has been scheduled to be done in kernel space, which might include tasks like handling interrupts, background activities, and other kernel-related tasks. Attackers may attempt to evade detection by masquerading as a kernel worker process.

Rule type: eql

Rule indices:

logs-endpoint.events.*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References: None

Tags:

Domain: Endpoint
OS: Linux
Use Case: Threat Detection
Tactic: Persistence
Tactic: Defense Evasion
Data Source: Elastic Defend

Version: 1

Rule authors:

Elastic

Rule license: Elastic License v2

Rule query

edit

file where event.action == "creation" and process.name : "kworker*" and not (
  process.name : "kworker*kcryptd*" or file.path : ("/var/log/*", "/var/crash/*")
)

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
Technique:
- Name: Boot or Logon Autostart Execution
- ID: T1547
- Reference URL: https://attack.mitre.org/techniques/T1547/
Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
Technique:
- Name: Rootkit
- ID: T1014
- Reference URL: https://attack.mitre.org/techniques/T1014/

« Stolen Credentials Used to Login to Okta Account After MFA Reset Suspicious Kworker UID Elevation »