Detect Rootkit in Splunk
Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits intercept and modify operating system API calls to conceal malware activity and can reside at user-space, kernel-space, or firmware levels. Real-world deployments include Drovorub (GRU-attributed Linux kernel rootkit using LKMs), Skidmap (cryptocurrency miner with kernel-mode hooking), TeamTNT's Diamorphine (open-source LKM), Ebury (SSH userland rootkit), Rocke (ld.so.preload hijacking), Umbreon (libc hooking), and Windows-based rootkits from Carberp and Stuxnet. Linux kernel rootkits typically leverage loadable kernel modules (LKMs) or shared library preloading via /etc/ld.so.preload. Windows kernel rootkits abuse driver loading mechanisms. Detection is most effective at installation and loading time — once active, rootkits actively conceal themselves from OS-level enumeration.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1014 Rootkit
- Canonical reference
- https://attack.mitre.org/techniques/T1014/
SPL Detection Query
// T1014 Rootkit — Windows and Linux multi-source detection
(
// Windows: New kernel driver service installation (System Event Log 7045)
(sourcetype="WinEventLog:System" EventCode=7045
(ServiceType="1" OR ServiceType="kernel driver" OR ServiceType="Kernel Driver"))
OR
// Windows: Sysmon EventCode=6 (Driver Loaded) from non-standard path
(sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=6
NOT (ImageLoaded="C:\\Windows\\System32\\*"
OR ImageLoaded="C:\\Windows\\SysWOW64\\*"
OR ImageLoaded="C:\\Windows\\WinSxS\\*"
OR ImageLoaded="C:\\Program Files\\*"
OR ImageLoaded="C:\\Program Files (x86)\\*"
OR ImageLoaded="C:\\Windows\\servicing\\*"))
OR
// Linux: auditd kernel module syscalls — insmod calls init_module/finit_module
(sourcetype="linux_auditd" type=SYSCALL
(syscall="init_module" OR syscall="finit_module" OR syscall="delete_module"))
OR
// Linux: auditd PATH record for /etc/ld.so.preload write (userland rootkit hook)
(sourcetype="linux_auditd" type=PATH name="/etc/ld.so.preload"
(nametype="CREATE" OR nametype="NORMAL"))
)
| eval detection_type=case(
EventCode="7045", "WindowsKernelDriverInstall",
EventCode="6", "SuspiciousDriverLoad",
(syscall="init_module" OR syscall="finit_module"), "LinuxKernelModuleLoad",
syscall="delete_module", "LinuxKernelModuleUnload",
name="/etc/ld.so.preload", "LdPreloadModification",
true(), "Unknown"
)
| eval indicator=coalesce(ServiceName, ImageLoaded, exe, name, "")
| eval account=coalesce(AccountName, auid, uid, "")
| eval ppid_name=coalesce(ParentImage, ppid, "")
| eval is_suspicious_path=if(
match(lower(indicator),
"(\\\\temp\\\\|\\\\appdata\\\\|\\\\downloads\\\\|\\\\programdata\\\\|/tmp/|/var/tmp/|/dev/shm/)"),
1, 0
)
| eval from_pkg_manager=if(
match(lower(ppid_name),
"(systemd|apt|dpkg|rpm|yum|dnf|snap|pacman|zypper|kmod|dracut|update-initramfs)"),
1, 0
)
| where detection_type!="LinuxKernelModuleLoad" OR from_pkg_manager=0
| table _time, host, detection_type, indicator, account, is_suspicious_path, ServiceType, syscall, ppid_name, auid
| sort - _timeMulti-source Splunk detection for rootkit installation across Windows and Linux. Combines four data sources: Windows System Event 7045 (new kernel driver service) filtered to driver service type; Sysmon EventCode 6 (Driver Loaded) for .sys files outside standard Windows driver directories; Linux auditd SYSCALL records for init_module, finit_module, and delete_module kernel module operations; and Linux auditd PATH records detecting writes to /etc/ld.so.preload. Package manager-initiated module loads are filtered to reduce false positives on Linux systems. Requires auditd rules watching /etc/ld.so.preload (-w /etc/ld.so.preload -p wa -k rootkit) and kernel syscall auditing (-a always,exit -F arch=b64 -S init_module -S finit_module -S delete_module -k rootkit).
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legitimate kernel driver installations by VPN software, hardware vendors, or security tools that stage driver binaries in user-accessible paths before moving them to the driver store
- Linux infrastructure automation (Ansible, Puppet) loading expected kernel modules during node provisioning — these appear as insmod/modprobe outside package manager context
- Virtualization software (VirtualBox, VMware, KVM/QEMU) loading kernel modules (vboxdrv.ko, kvm.ko, vmwgfx.ko) during service initialization not triggered by package manager
- Security auditing and hardening scripts that write to or inspect /etc/ld.so.preload as part of CIS benchmark compliance or file integrity baseline creation
- Kernel module version upgrades during OS patching that trigger delete_module then init_module for the same module — generates both a removal and load event
Other platforms for T1014
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Linux: Load a Benign Kernel Module from Non-Standard Path
Expected signal: auditd SYSCALL record with syscall=init_module, exe=/sbin/insmod, auid=<current_user>. DeviceProcessEvents (MDE for Linux): FileName=insmod, ProcessCommandLine containing '/tmp/testmodule/test_rootkit_sim.ko', InitiatingProcessFileName=bash/sh. dmesg shows 'argus_test: rootkit simulation module loaded'. lsmod shows 'test_rootkit_sim' in module list.
- Test 2Linux: Userland Rootkit Hook via ld.so.preload Injection
Expected signal: auditd PATH record: type=PATH name=/etc/ld.so.preload nametype=NORMAL with associated SYSCALL record showing write/openat syscall, exe=/usr/bin/tee. DeviceFileEvents (MDE for Linux): FolderPath=/etc, FileName=ld.so.preload, ActionType=FileModified or FileCreated. File integrity monitoring (if deployed) triggers on /etc/ld.so.preload change.
- Test 3Windows: Install a Kernel Driver Service from Suspicious Path
Expected signal: Security Event ID 4697 in Security Log: ServiceName=ArgusTestRootkit, ServiceFileName=C:\Users\Public\argus_test_driver.sys, ServiceType=0x00000001 (Kernel Driver), AccountName=<current_admin_user>. Sysmon Event ID 6 (Driver Loaded): ImageLoaded=C:\Users\Public\argus_test_driver.sys, Signed=true (null.sys is signed). System Event Log 7045: same service details. The file is legitimately signed but the path is suspicious.
- Test 4Linux: Enumerate Running Processes to Detect Rootkit-Induced Discrepancies
Expected signal: On a clean system: proc_pids.txt and ps_pids.txt should differ only by kernel threads and very short-lived processes, and the final comm output should be empty or show only expected kernel thread PIDs. Module comparison should show no discrepancies on a clean system. During active rootkit incident: hidden PIDs and module names would appear in the discrepancy output. This test generates no detection alerts on a clean system — it is a verification tool for the investigation phase.
References (12)
- https://attack.mitre.org/techniques/T1014/
- https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF
- https://documents.trendmicro.com/assets/white_papers/wp-a-deep-dive-into-skidmap.pdf
- https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang
- https://www.welivesecurity.com/2017/10/30/windigo-ebury-update-2/
- https://blog.trendmicro.com/trendlabs-security-intelligence/umbreon-linux-rootkit-hits-x86-arm-systems/
- https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/
- https://github.com/m0nad/Diamorphine
- https://github.com/marin-m/vmlinux-to-elf
- https://volatility3.readthedocs.io/en/latest/
- https://www.elastic.co/security-labs/linux-rootkits-and-detections
- https://www.synacktiv.com/en/publications/a-brief-history-of-linux-kernel-module-rootkits
Unlock Pro Content
Get the full detection package for T1014 including response playbook, investigation guide, and atomic red team tests.