From 4e4a334db7ef14bfc8844495b34fc72e0a24600f Mon Sep 17 00:00:00 2001 From: hafizfarhad Date: Fri, 11 Apr 2025 04:55:54 +0500 Subject: [PATCH 1/3] Add rule: linux-rootkit-netfilter-hooks --- nursery/linux-rootkit-netfilter-hooks.yml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 nursery/linux-rootkit-netfilter-hooks.yml diff --git a/nursery/linux-rootkit-netfilter-hooks.yml b/nursery/linux-rootkit-netfilter-hooks.yml new file mode 100644 index 00000000..bb21463a --- /dev/null +++ b/nursery/linux-rootkit-netfilter-hooks.yml @@ -0,0 +1,15 @@ +rule: + meta: + name: linux-rootkit-netfilter-hooks + namespace: + authors: + - mrhafizfarhad@gmail.com + scopes: + static: file + dynamic: file + references: + - https://gist.github.com/loneicewolf/226e3e20e6041d12a63a5e833ebb0503 + features: + - or: + - substring: nf_register_net_hook + - substring: nf_register_net_hooks From b79e5f10265831b68c6a1908aee32e0d465b27d4 Mon Sep 17 00:00:00 2001 From: hafizfarhad Date: Sun, 13 Apr 2025 01:57:13 +0500 Subject: [PATCH 2/3] Update linux-rootkit-netfilter-hooks rule --- nursery/linux-rootkit-netfilter-hooks.yml | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/nursery/linux-rootkit-netfilter-hooks.yml b/nursery/linux-rootkit-netfilter-hooks.yml index bb21463a..0c3dd30b 100644 --- a/nursery/linux-rootkit-netfilter-hooks.yml +++ b/nursery/linux-rootkit-netfilter-hooks.yml @@ -1,15 +1,21 @@ rule: meta: name: linux-rootkit-netfilter-hooks - namespace: + namespace: anti-analysis/linux/rootkit authors: - mrhafizfarhad@gmail.com + description: Detects Linux kernel rootkits that register Netfilter hooks. scopes: static: file dynamic: file references: - https://gist.github.com/loneicewolf/226e3e20e6041d12a63a5e833ebb0503 + att&ck: + - Defense Evasion::Rootkit [T1014] + - Collection::Network Sniffing [T1040] features: - - or: - - substring: nf_register_net_hook - - substring: nf_register_net_hooks + - and: + - os: linux + - or: + - substring: "nf_register_net_hook" + - substring: "nf_register_net_hooks" From d692b0f460b4fcf14fea99a109d05ca84e309a9f Mon Sep 17 00:00:00 2001 From: hafizfarhad Date: Sun, 13 Apr 2025 02:08:35 +0500 Subject: [PATCH 3/3] Update linux-rootkit-netfilter-hooks rule --- nursery/linux-rootkit-netfilter-hooks.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/nursery/linux-rootkit-netfilter-hooks.yml b/nursery/linux-rootkit-netfilter-hooks.yml index 0c3dd30b..82844922 100644 --- a/nursery/linux-rootkit-netfilter-hooks.yml +++ b/nursery/linux-rootkit-netfilter-hooks.yml @@ -8,11 +8,10 @@ rule: scopes: static: file dynamic: file - references: - - https://gist.github.com/loneicewolf/226e3e20e6041d12a63a5e833ebb0503 att&ck: - Defense Evasion::Rootkit [T1014] - - Collection::Network Sniffing [T1040] + references: + - https://gist.github.com/loneicewolf/226e3e20e6041d12a63a5e833ebb0503 features: - and: - os: linux