apt nix elf derusbi kernelModule

Hunt Hypothesis

The hypothesis is that the detection rule identifies potential adversary activity involving a custom kernel module, likely used for persistence or privilege escalation, associated with the Derusbi APT group. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats leveraging kernel-level persistence techniques.

YARA Rule

rule apt_nix_elf_derusbi_kernelModule
{

    meta:
        Author = "@seifreed"

    strings:
        $ = "__this_module"
        $ = "init_module"
        $ = "unhide_pid"
        $ = "is_hidden_pid"
        $ = "clear_hidden_pid"
        $ = "hide_pid"
        $ = "license"
        $ = "description"
        $ = "srcversion="
        $ = "depends="
        $ = "vermagic="
        $ = "current_task"
        $ = "sock_release"
        $ = "module_layout"
        $ = "init_uts_ns"
        $ = "init_net"
        $ = "init_task"
        $ = "filp_open"
        $ = "__netlink_kernel_create"
        $ = "kfree_skb"

    condition:
        (uint32(0) == 0x4464c457f) and (all of them)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints
• Source Rule

False Positive Guidance

• Scenario: Legitimate kernel module signing task using sign-file
  Description: A system administrator is signing a kernel module using the sign-file tool as part of a secure boot process.
  Filter/Exclusion: Check for the presence of /usr/bin/sign-file in the command line or use a process filter like process.name = sign-file.

• Scenario: Scheduled job deploying a kernel module via insmod
  Description: A scheduled job (e.g., via cron or systemd) is loading a signed kernel module using insmod as part of an automated patching process.
  Filter/Exclusion: Filter by process.name = insmod and verify the module path matches known internal kernel modules.

• Scenario: Security tool analyzing kernel modules with objdump
  Description: A security analyst is using objdump to analyze a kernel module for debugging or forensic purposes.
  Filter/Exclusion: Filter by process.name = objdump and check for known internal module paths or user-agent strings.

• Scenario: Kernel module development using make and gcc
  Description: A developer is compiling a kernel module using make and gcc as part of internal development or testing.
  Filter/Exclusion: Filter by process.name = make or process.name = gcc and check for module paths in internal development directories.

• Scenario: Kernel module loading via modprobe for a known driver
  Description: A system is loading a legitimate kernel module (e.g., usb_storage, nvidia, or vfio) using modprobe as part of normal operation.
  Filter/Exclusion: Filter by process.name = modprobe and check the module name against a whitelist of known, trusted modules.