yara/rules/Linux_Rootkit_Generic.yar (177 lines of code) (raw):

rule Linux_Rootkit_Generic_61229bdf { meta: author = "Elastic Security" id = "61229bdf-0b78-48b1-8a4d-09836dd2bcac" fingerprint = "8180ee7a04fd5ba23700e77ad3be7f30d592e77cffa8ebee8de7094627446335" creation_date = "2024-11-14" last_modified = "2024-11-22" threat_name = "Linux.Rootkit.Generic" severity = 100 arch_context = "x86, arm64" scan_context = "file, memory" license = "Elastic License v2" os = "linux" strings: $str1 = "dropshell" $str2 = "fake_account_user_time" $str3 = "fake_bpf_trace_printk" $str4 = "fake_crash_kexec" $str5 = "fake_loadavg_proc_show" $str6 = "fake_sched_debug_show" $str7 = "fake_seq_show_ipv4_tcp" $str8 = "fake_seq_show_ipv4_udp" $str9 = "fake_seq_show_ipv6_tcp" $str10 = "fake_seq_show_ipv6_udp" $str11 = "fake_trace_printk" $str12 = "give_root" $str13 = "hack_getdents" $str14 = "hacked_getdents64" $str15 = "hacked_kill" $str16 = "hideModule" $str17 = "hide_module" $str18 = "hide_tcp4_port" $str19 = "hide_tcp6_port" $str20 = "hidden_tcp4_ports" $str21 = "hidden_tcp6_ports" $str22 = "hidden_udp4_ports" $str23 = "hidden_udp6_ports" $str24 = "hook_getdents" $str25 = "hook_kill" $str26 = "hook_local_in_func" $str27 = "hook_local_out_func" $str28 = "hook_tcp4_seq_show" $str29 = "hook_tcp6_seq_show" $str30 = "hooked_tcp6_seq_show" $str31 = "hooked_udp4_seq_show" $str32 = "hooked_udp6_seq_show" $str33 = "is_invisible" $str34 = "module_hide" $str35 = "module_show" $str36 = "nf_inet_hooks" $str37 = "old_access" $str38 = "old_fopen" $str39 = "old_lxstat" $str40 = "old_open" $str41 = "old_opendir" $str42 = "old_readdir" $str43 = "old_rmdir" $str44 = "old_unlink" $str45 = "old_xstat" $str46 = "orig_getdents" $str47 = "orig_getdents64" $str48 = "orig_kill" $str49 = "orig_tcp4_seq_show" $str50 = "orig_tcp6_seq_show" $str51 = "secret_connection" $str52 = "unhide_file" $str53 = "unhide_proc" $str54 = "unhide_tcp4_port" $str55 = "unhide_tcp6_port" $str56 = "unhide_udp4_port" $str57 = "unhide_udp6_port" condition: 4 of ($str*) } rule Linux_Rootkit_Generic_482bca48 { meta: author = "Elastic Security" id = "482bca48-c337-45d9-9513-301909cbda73" fingerprint = "a2a005777e1bc236a30f3efff8d85af360665bd9418b77aa8d0aaf72a72df88a" creation_date = "2024-11-14" last_modified = "2024-12-09" threat_name = "Linux.Rootkit.Generic" severity = 100 arch_context = "x86, arm64" scan_context = "file, memory" license = "Elastic License v2" os = "linux" strings: $str1 = "sys_call_table" $str2 = "kallsyms_lookup_name" $str3 = "retpoline=Y" $str4 = "kprobe" $rk1 = "rootkit" $rk2 = "hide_" $rk3 = "hacked_" $rk4 = "fake_" $rk5 = "hooked_" $hook1 = "_getdents" $hook2 = "_kill" $hook3 = "_seq_show_ipv4_tcp" $hook4 = "_seq_show_ipv4_udp" $hook5 = "_seq_show_ipv6_tcp" $hook6 = "_seq_show_ipv6_udp" $hook7 = "_tcp4_port" $hook8 = "_tcp4_seq_show" $hook9 = "_tcp6_port" $hook10 = "_tcp6_seq_show" $hook11 = "_udp4_port" $hook12 = "_udp4_seq_show" $hook13 = "_udp6_port" $hook14 = "_udp6_seq_show" $hook15 = "_unlink" condition: 3 of ($str*) and ((all of ($rk*)) or (3 of ($rk*) and 5 of ($hook*))) } rule Linux_Rootkit_Generic_d0c5cfe0 { meta: author = "Elastic Security" id = "d0c5cfe0-850b-432c-924d-547252ca0dd0" fingerprint = "6c005d7126485220c8ea1a7fb2a3215ade16f1b9dda7b89daf7a8cc408288efa" creation_date = "2024-11-14" last_modified = "2024-12-09" threat_name = "Linux.Rootkit.Generic" severity = 100 arch_context = "x86, arm64" scan_context = "file, memory" license = "Elastic License v2" os = "linux" strings: $str1 = "sys_call_table" $str2 = "kallsyms_lookup_name" $str3 = "retpoline=Y" $str4 = "kprobe" $init1 = "init_module" $init2 = "finit_module" $hook1 = "getdents" $hook2 = "seq_show_ipv4_tcp" $hook3 = "seq_show_ipv4_udp" $hook4 = "seq_show_ipv6_tcp" $hook5 = "seq_show_ipv6_udp" $hook6 = "sys_kill" $hook7 = "tcp4_port" $hook8 = "tcp4_seq_show" $hook9 = "tcp6_port" $hook10 = "tcp6_seq_show" $hook11 = "udp4_port" $hook12 = "udp4_seq_show" $hook13 = "udp6_port" $hook14 = "udp6_seq_show" $rk1 = "rootkit" $rk2 = "dropper" $rk3 = "hide" $rk4 = "hook" $rk5 = "hacked" condition: 2 of ($str*) and 1 of ($init*) and 3 of ($hook*) and 3 of ($rk*) } rule Linux_Rootkit_Generic_f07bcabe { meta: author = "Elastic Security" id = "f07bcabe-f91e-4872-8677-dee6307e79d0" fingerprint = "7335426e705383ff6f62299943a139390b83ce2af4cbfc145cfe78c0f0015a26" creation_date = "2024-12-02" last_modified = "2024-12-09" threat_name = "Linux.Rootkit.Generic" severity = 100 arch_context = "x86, arm64" scan_context = "file, memory" license = "Elastic License v2" os = "linux" strings: $str1 = "fh_install_hook" $str2 = "fh_remove_hook" $str3 = "fh_resolve_hook_address" condition: 2 of them }