T1014 Sumo Logic CSE · Sumo

Detect Rootkit in Sumo Logic CSE

Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits intercept and modify operating system API calls to conceal malware activity and can reside at user-space, kernel-space, or firmware levels. Real-world deployments include Drovorub (GRU-attributed Linux kernel rootkit using LKMs), Skidmap (cryptocurrency miner with kernel-mode hooking), TeamTNT's Diamorphine (open-source LKM), Ebury (SSH userland rootkit), Rocke (ld.so.preload hijacking), Umbreon (libc hooking), and Windows-based rootkits from Carberp and Stuxnet. Linux kernel rootkits typically leverage loadable kernel modules (LKMs) or shared library preloading via /etc/ld.so.preload. Windows kernel rootkits abuse driver loading mechanisms. Detection is most effective at installation and loading time — once active, rootkits actively conceal themselves from OS-level enumeration.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1014 Rootkit
Canonical reference
https://attack.mitre.org/techniques/T1014/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
/* T1014 Rootkit — Sumo Logic multi-signal detection */
(_sourceCategory="windows/system" OR _sourceCategory="windows/sysmon" OR _sourceCategory="linux/audit" OR _sourceCategory="*sysmon*" OR _sourceCategory="*auditd*" OR _sourceCategory="*wineventlog*")
| parse regex "(?:EventCode|EventID)[=:]\s*(?P<EventCode>\d+)" nodrop
| parse regex "ServiceType[=:]\s*(?P<ServiceType>[^\r\n\|]+)" nodrop
| parse regex "ServiceName[=:]\s*(?P<ServiceName>[^\r\n\|]+)" nodrop
| parse regex "(?:ImagePath|ServiceFileName|BinaryPathName)[=:]\s*(?P<ImagePath>[^\r\n\|]+)" nodrop
| parse regex "ImageLoaded[=:]\s*(?P<ImageLoaded>[^\r\n\|]+)" nodrop
| parse regex "\btype=(?P<audit_type>\S+)" nodrop
| parse regex "\bsyscall=(?P<syscall>\S+)" nodrop
| parse regex "\bname=(?P<audit_path>/[^\s]+)" nodrop
| parse regex "\bnametype=(?P<nametype>\S+)" nodrop
| parse regex "\bcomm=(?P<comm>[^\s"]+)" nodrop
| parse regex "\bexe=(?P<exe>[^\s]+)" nodrop
| where
    /* Signal 1: Windows kernel driver install from suspicious path (Event 7045) */
    (
      EventCode = "7045"
      and (ServiceType = "1" or ServiceType = "0x1" or toLowerCase(ServiceType) matches ".*kernel.*driver.*")
      and (
        toLowerCase(ImagePath) matches ".*\\\\temp\\\\.*"
        or toLowerCase(ImagePath) matches ".*\\\\appdata\\\\.*"
        or toLowerCase(ImagePath) matches ".*\\\\downloads\\\\.*"
        or toLowerCase(ImagePath) matches ".*\\\\programdata\\\\.*"
        or toLowerCase(ImagePath) matches ".*\\\\users\\\\public\\\\.*"
      )
    )
    or
    /* Signal 2: Driver (.sys) loaded from non-standard path (Sysmon Event 6) */
    (
      EventCode = "6"
      and not (
        toLowerCase(ImageLoaded) matches "c:\\\\windows\\\\system32\\\\.*"
        or toLowerCase(ImageLoaded) matches "c:\\\\windows\\\\syswow64\\\\.*"
        or toLowerCase(ImageLoaded) matches "c:\\\\windows\\\\winsxs\\\\.*"
        or toLowerCase(ImageLoaded) matches "c:\\\\program files\\\\.*"
        or toLowerCase(ImageLoaded) matches "c:\\\\windows\\\\servicing\\\\.*"
      )
    )
    or
    /* Signal 3: Linux auditd kernel module syscall outside package manager */
    (
      audit_type = "SYSCALL"
      and syscall in ("init_module", "finit_module", "delete_module")
      and not comm in ("apt", "apt-get", "dpkg", "rpm", "yum", "dnf", "kmod", "snap", "pacman", "zypper", "dracut", "systemd", "update-initramfs")
    )
    or
    /* Signal 4: Write to /etc/ld.so.preload via auditd PATH record */
    (
      audit_type = "PATH"
      and audit_path = "/etc/ld.so.preload"
      and nametype in ("CREATE", "NORMAL")
    )
| eval detection_type = if(EventCode = "7045", "WindowsKernelDriverInstall",
    if(EventCode = "6", "SuspiciousDriverLoad",
    if(syscall = "init_module" or syscall = "finit_module", "LinuxKernelModuleLoad",
    if(syscall = "delete_module", "LinuxKernelModuleUnload",
    if(audit_path = "/etc/ld.so.preload", "LdPreloadModification", "Unknown")))))
| eval indicator = if(!isNull(ServiceName) and ServiceName != "", ServiceName,
    if(!isNull(ImageLoaded) and ImageLoaded != "", ImageLoaded,
    if(!isNull(exe) and exe != "", exe,
    if(!isNull(audit_path) and audit_path != "", audit_path, ""))))
| fields _time, _sourceHost, detection_type, indicator, ServiceType, ImagePath, ImageLoaded, syscall, audit_path, comm, EventCode
| sort by _time desc
critical severity medium confidence

Sumo Logic detection for T1014 Rootkit using regex field extraction across Windows System/Sysmon and Linux auditd source categories. Covers four signals: kernel driver service install from suspicious paths (System Event 7045), non-standard .sys driver loads (Sysmon Event 6), Linux auditd SYSCALL records for kernel module operations (init_module/finit_module/delete_module) outside package manager context, and auditd PATH records for /etc/ld.so.preload write events.

Data Sources

Sumo Logic Windows Event Log Source (System log, _sourceCategory=windows/system)Sumo Logic Sysmon Event Log Source (_sourceCategory=windows/sysmon or *sysmon*)Sumo Logic Linux Syslog / Auditd Source (_sourceCategory=linux/audit or *auditd*)Sumo Logic Cloud SIEM Enterprise (CSE) for normalized event enrichment

Required Tables

Windows System Event Log source (EventCode 7045)Sysmon event log source (EventCode 6)Linux auditd source with SYSCALL and PATH record types

False Positives & Tuning

  • Sumo Logic regex parsers may fail to extract ServiceType or ImagePath from Windows events in non-English locales or when the event format changes across OS versions, leading to missed detections or field mismatches that could misclassify benign events
  • Container runtime setup scripts (Docker, containerd, CRI-O startup) that use modprobe to load overlay, br_netfilter, or ip_tables kernel modules — the parent comm is typically a shell or container daemon, not a package manager
  • Performance monitoring or tracing tools that write a shared library path to /etc/ld.so.preload for legitimate LD_PRELOAD-based instrumentation (e.g., jemalloc, tcmalloc, Datadog APM LD_PRELOAD injection for glibc profiling)
Download portable Sigma rule (.yml)

Other platforms for T1014

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Linux: Load a Benign Kernel Module from Non-Standard Path

    Expected signal: auditd SYSCALL record with syscall=init_module, exe=/sbin/insmod, auid=<current_user>. DeviceProcessEvents (MDE for Linux): FileName=insmod, ProcessCommandLine containing '/tmp/testmodule/test_rootkit_sim.ko', InitiatingProcessFileName=bash/sh. dmesg shows 'argus_test: rootkit simulation module loaded'. lsmod shows 'test_rootkit_sim' in module list.

  2. Test 2Linux: Userland Rootkit Hook via ld.so.preload Injection

    Expected signal: auditd PATH record: type=PATH name=/etc/ld.so.preload nametype=NORMAL with associated SYSCALL record showing write/openat syscall, exe=/usr/bin/tee. DeviceFileEvents (MDE for Linux): FolderPath=/etc, FileName=ld.so.preload, ActionType=FileModified or FileCreated. File integrity monitoring (if deployed) triggers on /etc/ld.so.preload change.

  3. Test 3Windows: Install a Kernel Driver Service from Suspicious Path

    Expected signal: Security Event ID 4697 in Security Log: ServiceName=ArgusTestRootkit, ServiceFileName=C:\Users\Public\argus_test_driver.sys, ServiceType=0x00000001 (Kernel Driver), AccountName=<current_admin_user>. Sysmon Event ID 6 (Driver Loaded): ImageLoaded=C:\Users\Public\argus_test_driver.sys, Signed=true (null.sys is signed). System Event Log 7045: same service details. The file is legitimately signed but the path is suspicious.

  4. Test 4Linux: Enumerate Running Processes to Detect Rootkit-Induced Discrepancies

    Expected signal: On a clean system: proc_pids.txt and ps_pids.txt should differ only by kernel threads and very short-lived processes, and the final comm output should be empty or show only expected kernel thread PIDs. Module comparison should show no discrepancies on a clean system. During active rootkit incident: hidden PIDs and module names would appear in the discrepancy output. This test generates no detection alerts on a clean system — it is a verification tool for the investigation phase.

Last updated: 2026-04-13 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1014 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1542.003BootkitT1542.001System FirmwareT1055Process InjectionT1205.002Socket FiltersT1027Obfuscated Files or InformationT1556.003Pluggable Authentication ModulesT1070Indicator RemovalT1562.001Disable or Modify ToolsT1083File and Directory DiscoveryT1496Resource Hijacking

Same Tactic: Defense Evasion

Popular Detections