Skip to content

Add nursery rules for Linux kernel rootkit techniques#1136

Merged
mike-hunhoff merged 2 commits intomandiant:masterfrom
aryanyk:linux-rootkit-rules
Mar 27, 2026
Merged

Add nursery rules for Linux kernel rootkit techniques#1136
mike-hunhoff merged 2 commits intomandiant:masterfrom
aryanyk:linux-rootkit-rules

Conversation

@aryanyk
Copy link
Copy Markdown
Contributor

@aryanyk aryanyk commented Mar 11, 2026

Fixes #998

Description

This PR adds two new nursery rules for detecting Linux kernel rootkit techniques.

The first rule detects privilege escalation patterns commonly used in Linux kernel rootkits where elevated credentials are created using prepare_kernel_cred and applied via commit_creds.

The second rule detects registration of Netfilter hooks through nf_register_net_hook or nf_register_hook, which can be used by kernel modules to intercept or modify network traffic.

Both rules target Linux kernel module behavior that may indicate rootkit activity.

Rules Added

  1. escalate privileges via commit_creds on Linux
    Detects the use of the prepare_kernel_credcommit_creds API pattern frequently used by kernel rootkits to escalate privileges.

  2. register Netfilter hook on Linux
    Detects the registration of Netfilter hooks (nf_register_net_hook or nf_register_hook) that may be used to inspect or manipulate packet flow.

Testing

The rules were validated using the capa linting utilities.

Commands used:

python ../capa/scripts/lint.py -t "escalate privileges via commit_creds on Linux" -v .
python ../capa/scripts/lint.py -t "register Netfilter hook on Linux" -v .

Both rules pass lint checks.
Examples are not included yet, so the rules remain in the nursery directory.

References

AI Usage

AI tools were used to assist with drafting rule descriptions and refining rule structure. All rule logic and validation steps were reviewed and tested manually.

@aryanyk aryanyk mentioned this pull request Mar 11, 2026
Closed
mike-hunhoff
mike-hunhoff requested changes Mar 12, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@mike-hunhoff mike-hunhoff left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @aryanyk , I've left comments for your review.

@aryanyk
Copy link
Copy Markdown
Contributor Author

aryanyk commented Mar 17, 2026

Thanks for the clarification. I will explain it based on my understanding .

For commit_creds : using commit_creds in many linux kernel rootkits the module first prepares a new credential structure calling prepare_kernel_cred(NULL) and after calling commit_creds to set. This essentially gives the current process root credentials. I mapped it to ATT&CK T1068 since the end state is privilege escalation within the kernel.

For Netfilter : A Netfilter hook is an interface that provides a way to inspect or modify packets that's traversing down the networking stack, registering a netfilter hook allows kernel modules to do just that. This is sometimes used by malicious modules to hide traffic or manipulate how endpoints behave on the network such that this can interfere with monitoring or defensive controls, which I mapped to T1562.

@mike-hunhoff please let me know if this reasoning looks correct or if you’d prefer a different mapping.

@aryanyk aryanyk requested a review from mike-hunhoff March 19, 2026 10:31
@mike-hunhoff mike-hunhoff merged commit 7bb186f into mandiant:master Mar 27, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@williballenthin williballenthin williballenthin left review comments

@mike-hunhoff mike-hunhoff mike-hunhoff approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Linux kernel rootkit techniques

3 participants

@aryanyk @williballenthin @mike-hunhoff