Hooked on Linux: Rootkit Taxonomy, Hooking Techniques and Tradecraft
This report details the taxonomy, evolution, and hooking techniques of Linux rootkits. It highlights the shift from userland and LKM-based rootkits to advanced evasive techniques leveraging eBPF and io_uring, which challenge traditional EDR visibility and kernel hardening measures.
Authors: Elastic Security Labs
Source:
Elastic Security Labs
- filename/proc/modulesSystem file listing loaded kernel modules; targeted by LKM rootkits for evasion to hide their presence.
- filename/sys/kernel/debug/kprobes/listKernel debug file that lists active kprobes; monitored to detect unexpected or malicious kprobes registered by rootkits.
Key Takeaways
- Linux rootkits have evolved from userland shared objects to Loadable Kernel Modules (LKMs), eBPF, and emerging io_uring-based implementations.
- Modern rootkits increasingly abuse legitimate kernel frameworks like ftrace, kprobes, and eBPF to install stealthy hooks without traditional module loading.
- Linux kernel 6.9 introduced architectural changes to syscall dispatching that broke traditional sys_call_table hooking, though new techniques like FlipSwitch can bypass this.
- The io_uring asynchronous I/O interface is emerging as a powerful evasion technique, allowing attackers to batch operations and bypass per-syscall EDR monitoring.
Affected Systems
- Linux (various kernel versions including pre-2.6, 4.8+, 5.1+, 6.9+)
- Containers and Kubernetes
- IoT devices
- Production servers
Vulnerabilities (CVEs)
- CVE-2022-0847
Attack Chain
Attackers gain initial access and deploy a loader component, which may escalate privileges using vulnerabilities like CVE-2022-0847 (Dirty Pipe). The loader wipes execution evidence from bash_history and syslog, then establishes persistence via systemd, cron, or udev. Finally, the core rootkit payload is executed, utilizing techniques like LKM injection, eBPF programs, or io_uring to hook kernel functions, hide processes, and maintain stealthy control.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article focuses on rootkit theory and hooking techniques; detection engineering and specific rules will be covered in part two of the series.
Detection Engineering Assessment
EDR Visibility: Medium — Traditional EDRs can detect LKM loading and basic syscall hooking, but advanced rootkits using eBPF, io_uring, or inline patching often bypass standard per-syscall telemetry. Network Visibility: Low — Rootkits actively hide network sockets and connections from userland tools like netstat and lsof. Detection Difficulty: Hard — Rootkits operate at the highest privilege levels, subverting the very APIs and structures that security tools rely on for visibility.
Required Log Sources
- Kernel Audit Logs
- eBPF Telemetry
- File Integrity Monitoring (FIM)
- Process Execution Logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Look for unexpected or unauthorized eBPF programs being loaded into the kernel. | eBPF subsystem logs, auditd | Persistence/Evasion | Medium (legitimate tracing/monitoring tools use eBPF) |
| Identify anomalous io_uring activity, such as unusually large batches of metadata operations bypassing standard syscalls. | io_uring_enter syscall monitoring | Evasion | High (high-performance applications legitimately use io_uring) |
| Monitor for unexpected kprobes registered in the kernel debug filesystem. | /sys/kernel/debug/kprobes/list | Evasion | Low (production systems rarely have dynamic kprobes added outside of specific debugging sessions) |
Control Gaps
- Syscall-based EDR monitoring (bypassed by io_uring)
- Userland integrity checks (bypassed by kernel-level hooks)
Key Behavioral Indicators
- Mismatches between on-disk libraries and in-memory imports
- Altered GOT/PLT entries
- Unexpected LD_PRELOAD or LD_AUDIT environment variables
- Hidden modules not listed in /proc/modules
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Review /sys/kernel/debug/kprobes/list for unauthorized kprobes.
- Check for suspicious LD_PRELOAD or LD_AUDIT environment variables across active sessions.
Infrastructure Hardening
- Enable Secure Boot to enforce kernel module signing.
- Implement Linux Security Modules (LSMs) like SELinux or AppArmor.
- Restrict CAP_BPF and CAP_SYS_ADMIN capabilities to prevent unauthorized eBPF program loading.
- Enable CONFIG_STRICT_KERNEL_RWX to enforce read-only kernel memory pages.
User Protection
- Deploy File Integrity Monitoring (FIM) on critical configuration files like /etc/profile and .bashrc.
Security Awareness
- Educate operations teams on the risks of outdated IoT kernels and unmonitored headless production servers.
MITRE ATT&CK Mapping
- T1014 - Rootkit
- T1574.006 - Hijack Execution Flow: Dynamic Linker Hijacking
- T1547.006 - Boot or Logon Autostart Execution: Kernel Modules and Extensions
- T1068 - Exploitation for Privilege Escalation
- T1070.002 - Indicator Removal: Clear Linux or Mac System Logs
- T1070.003 - Indicator Removal: Clear Command History
- T1543.002 - Create or Modify System Process: Systemd Service
- T1053.003 - Scheduled Task/Job: Cron
- T1562.001 - Impair Defenses: Disable or Modify Tools
Additional IOCs
- File Paths:
/etc/profile- Global profile file targeted for userland rootkit persistence..bashrc- User profile file targeted for userland rootkit persistence..profile- User profile file targeted for userland rootkit persistence.
- Command Lines:
- Purpose: Load malicious kernel modules into memory | Tools:
insmod,modprobe| Stage: Execution/Persistence |insmod <module.ko> - Purpose: Load and attach eBPF programs to kernel tracepoints or LSM hooks | Tools:
bpftool,tc| Stage: Execution/Evasion |bpftool prog load
- Purpose: Load malicious kernel modules into memory | Tools:
- Other:
LD_AUDIT- Environment variable abused for dynamic linker hijacking.