Sigma rules for CVE-2021-38575
11 rules · scoped to cve · back to CVE-2021-38575
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Loading of Kernel Module via Insmod
id: 106d7cbd-80ff-4985-b682-a7043e5acb72
status: test
description: |
Detects loading of kernel modules with insmod command.
Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand.
Adversaries may use LKMs to obtain persistence within the system or elevate the privileges.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.006/T1547.006.md
- https://linux.die.net/man/8/insmod
- https://man7.org/linux/man-pages/man8/kmod.8.html
author: 'Pawel Mazur'
date: 2021-11-02
modified: 2022-12-25
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1547.006
logsource:
product: linux
service: auditd
detection:
selection:
type: 'SYSCALL'
comm: insmod
exe: /usr/bin/kmod
condition: selection
falsepositives:
- Unknown
level: high
title: LiveKD Kernel Memory Dump File Created
id: 814ddeca-3d31-4265-8e07-8cc54fb44903
status: test
description: Detects the creation of a file that has the same name as the default LiveKD kernel memory dump.
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-16
tags:
- attack.privilege-escalation
- attack.stealth
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename: 'C:\Windows\livekd.dmp'
condition: selection
falsepositives:
- In rare occasions administrators might leverage LiveKD to perform live kernel debugging. This should not be allowed on production systems. Investigate and apply additional filters where necessary.
level: high
title: Kernel Memory Dump Via LiveKD
id: c7746f1c-47d3-43d6-8c45-cd1e54b6b0a2
status: test
description: Detects execution of LiveKD with the "-m" flag to potentially dump the kernel memory
references:
- https://learn.microsoft.com/en-us/sysinternals/downloads/livekd
- https://4sysops.com/archives/creating-a-complete-memory-dump-without-a-blue-screen/
- https://kb.acronis.com/content/60892
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-16
modified: 2024-03-13
tags:
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\livekd.exe'
- '\livekd64.exe'
- OriginalFileName: 'livekd.exe'
selection_cli:
CommandLine|contains|windash: ' -m'
condition: all of selection_*
falsepositives:
- Unlikely in production environment
level: high
title: Suspicious Kernel Dump Using Dtrace
id: 7124aebe-4cd7-4ccb-8df0-6d6b93c96795
status: test
description: Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1
references:
- https://twitter.com/0gtweet/status/1474899714290208777?s=12
- https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace
author: Florian Roth (Nextron Systems)
date: 2021-12-28
tags:
- attack.discovery
- attack.t1082
logsource:
product: windows
category: process_creation
detection:
selection_plain:
Image|endswith: '\dtrace.exe'
CommandLine|contains: 'lkd(0)'
selection_obfuscated:
CommandLine|contains|all:
- 'syscall:::return'
- 'lkd('
condition: 1 of selection*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_dtrace_kernel_dump/info.yml
title: PUA - Kernel Driver Utility (KDU) Execution
id: e76ca062-4de0-4d79-8d90-160a0d335eca
status: experimental
description: |
Detects execution of the Kernel Driver Utility (KDU) tool.
KDU can be used to bypass driver signature enforcement and load unsigned or malicious drivers into the Windows kernel.
Potentially allowing for privilege escalation, persistence, or evasion of security controls.
references:
- https://github.com/h4rmy/KDU
- https://huntress.com/blog/esxi-vm-escape-exploit
author: Matt Anderson, Dray Agha, Anna Pham (Huntress)
date: 2026-01-02
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1543.003
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\kdu.exe'
- '\hamakaze.exe'
- OriginalFileName: 'hamakaze.exe'
selection_cli_suspicious:
CommandLine|contains:
- '-map ' # map driver to the kernel and execute it entry point
- '-prv ' # optional, select vulnerability driver provider
- '-dse ' # write user defined value to the system DSE state flags; dse=0(disable),dse=1(enable)
- '-ps ' # modify process object of given ProcessID;
condition: all of selection_*
falsepositives:
- Legitimate driver development, testing, or administrative troubleshooting (e.g., enabling/disabling hardware)
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_pua_kdu_driver_tool/info.yml
title: CodeIntegrity - Revoked Kernel Driver Loaded
id: 320fccbf-5e32-4101-82b8-2679c5f007c6
status: test
description: Detects the load of a revoked kernel driver
references:
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-06
tags:
- attack.privilege-escalation
logsource:
product: windows
service: codeintegrity-operational
detection:
selection:
EventID:
- 3021 # Code Integrity determined a revoked kernel module %2 is loaded into the system. Check with the publisher to see if a new signed version of the kernel module is available.
- 3022 # Code Integrity determined a revoked kernel module %2 is loaded into the system. The image is allowed to load because kernel mode debugger is attached.
condition: selection
falsepositives:
- Unlikely
level: high
title: CodeIntegrity - Unsigned Kernel Module Loaded
id: 951f8d29-f2f6-48a7-859f-0673ff105e6f
status: test
description: Detects the presence of a loaded unsigned kernel module on the system.
references:
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-06
tags:
- attack.privilege-escalation
logsource:
product: windows
service: codeintegrity-operational
detection:
selection:
EventID: 3001 # Code Integrity determined an unsigned kernel module %2 is loaded into the system. Check with the publisher to see if a signed version of the kernel module is available
condition: selection
falsepositives:
- Unlikely
level: high
title: CodeIntegrity - Unmet WHQL Requirements For Loaded Kernel Module
id: 2f8cd7a0-9d5a-4f62-9f8b-2c951aa0dd1f
status: test
description: Detects loaded kernel modules that did not meet the WHQL signing requirements.
references:
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-id-explanations
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/operations/event-tag-explanations
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-06
modified: 2023-06-14
tags:
- attack.privilege-escalation
logsource:
product: windows
service: codeintegrity-operational
detection:
selection:
EventID:
- 3082 # Code Integrity determined kernel module %2 that did not meet the WHQL requirements is loaded into the system. However, due to code integrity auditing policy, the image was allowed to load
- 3083 # Code Integrity determined kernel module %2 that did not meet the WHQL requirements is loaded into the system. Check with the publisher to see if a WHQL compliant kernel module is available
filter_optional_vmware:
FileNameBuffer:
- 'system32\drivers\vsock.sys'
- 'System32\drivers\vmci.sys'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Unlikely
level: high
title: Clear or Disable Kernel Ring Buffer Logs via Syslog Syscall
id: eca5e022-d368-4043-98e5-9736fb01f72f
status: experimental
description: |
Detects the use of the `syslog` syscall with action code 5 (SYSLOG_ACTION_CLEAR),
(4 is SYSLOG_ACTION_READ_CLEAR and 6 is SYSLOG_ACTION_CONSOLE_OFF) which clears the kernel
ring buffer (dmesg logs). This can be used by attackers to hide traces after exploitation
or privilege escalation. A common technique is running `dmesg -c`, which triggers this syscall internally.
references:
- https://man7.org/linux/man-pages/man2/syslog.2.html
- https://man7.org/linux/man-pages/man1/dmesg.1.html
author: Milad Cheraghi
date: 2025-05-27
modified: 2025-12-05
tags:
- attack.defense-impairment
- attack.t1685.006
logsource:
product: linux
service: auditd
definition: |
Required auditd configuration:
-a always,exit -F arch=b64 -S syslog -F a0=4 -k clear_dmesg_logs
-a always,exit -F arch=b64 -S syslog -F a0=5 -k clear_dmesg_logs
-a always,exit -F arch=b64 -S syslog -F a0=6 -k disable_dmesg_logs
-a always,exit -F arch=b32 -S syslog -F a0=4 -k clear_dmesg_logs
-a always,exit -F arch=b32 -S syslog -F a0=5 -k clear_dmesg_logs
-a always,exit -F arch=b32 -S syslog -F a0=6 -k disable_dmesg_logs
detection:
selection:
type: 'SYSCALL'
SYSCALL: 'syslog'
a0:
- 4 # SYSLOG_ACTION_READ_CLEAR : Read and clear log
- 5 # SYSLOG_ACTION_CLEAR: Clear kernel ring buffer (without reading)
- 6 # SYSLOG_ACTION_CONSOLE_OFF: Disable logging to console
condition: selection
falsepositives:
- System administrators or scripts that intentionally clear logs
- Debugging scripts
level: medium
title: Windows Kernel Debugger Execution
id: 27ee9438-90dc-4bef-904b-d3ef927f5e7e
status: test
description: Detects execution of the Windows Kernel Debugger "kd.exe".
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-15
modified: 2024-04-24
tags:
- attack.privilege-escalation
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\kd.exe'
- OriginalFileName: 'kd.exe'
condition: selection
falsepositives:
- Rare occasions of legitimate cases where kernel debugging is necessary in production. Investigation is required
level: medium
title: New Kernel Driver Via SC.EXE
id: 431a1fdb-4799-4f3b-91c3-a683b003fc49
status: test
description: Detects creation of a new service (kernel driver) with the type "kernel"
references:
- https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-14
modified: 2025-10-07
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1543.003
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\sc.exe'
CommandLine|contains:
- 'create'
- 'config'
CommandLine|contains|all:
- 'binPath'
- 'type'
- 'kernel'
filter_optional_avira_driver:
- CommandLine|contains|all:
- 'create netprotection_network_filter'
- 'type= kernel start= '
- 'binPath= System32\drivers\netprotection_network_filter'
- 'DisplayName= netprotection_network_filter'
- 'group= PNP_TDI tag= yes'
- CommandLine|contains|all:
- 'create avelam binpath=C:\Windows\system32\drivers\avelam.sys'
- 'type=kernel start=boot error=critical group=Early-Launch'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Rare legitimate installation of kernel drivers via sc.exe
level: medium