TID-203: Malicious OS Kernel Driver/Module Installable
Threat Description
Threat actors may be able to install a driver or kernel module with malicious code to load a rootkit and manipulate the OS. Drivers and kernel modules generally operate with a high-level privileges (e.g. Ring 0) and therefore can be used to manipulate the operation of the existing OS. OS kernel modules and drivers can typically be installed by any users with root/administrative permissions, though some OSes require that drivers be digitally signed by a trusted OEM before they can be installed on a device.
Threat Maturity and Evidence
Observed Adversary Behavior
Syslogk Rootkit
“The Syslogk rootkit installed itself as a Linux kernel module where it had the ability to hook functions/syscalls, manipulate and create its own syscalls, and launch a payload that contains a backdoor at the request of remote threat actors.”
CWE
CWE-306 Missing Authentication for Critical Function
“The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.”