Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
|
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
Boot or Logon Autostart Execution: Kernel Modules and Extensions (T1547.006) |
Severity |
Low |
Description
Udev driver rule was modified with unusual pattern, might be used by adversaries to backdoor existing drivers.
Attacker's Goals
Adversaries can use this technique to execute arbitrary commands once the machine boots.
Investigative actions
- Check if the action was done using an automation service.
- Check the rule modification content and look for any suspicious payloads.
- Check if there are any other suspicious activities originated from the same machine/executing user.