Skip to main content
Version: 0.4.0

Init Module

This kind of event is generated when a kernel module is loaded into the kernel.

module metadata

Due to the nature of init_module syscall, it is fairly complicated to find a reliable way to get access to kernel module data (in pure eBPF) and extract hashing information from it.

Until we find a solution to that issue, we propose to detect suspicious modules loaded based on the loading context (ancestors, loader ...) rather than on the data of the module being loaded.

{
"data": {
"ancestors": "/usr/lib/systemd/systemd|/usr/bin/login|/usr/bin/zsh|/usr/bin/bash|/usr/bin/xinit|/usr/bin/i3|/usr/bin/bash|/usr/bin/urxvt|/usr/bin/zsh|/usr/bin/bash|/usr/bin/sudo|/usr/bin/sudo",
"command_line": "modprobe nbd max_part=42",
"exe": {
"path": "/usr/bin/kmod"
},
"syscall": "finit_module",
"module_name": "nbd",
"args": "max_part=42",
"loaded": true
},
"info": {
"host": "...",
"event": {
"source": "kunai",
"id": 20,
"name": "init_module",
"uuid": "adb54376-1f88-7b3b-7de2-c933a468dce6",
"batch": 695
},
"task": "...",
"parent_task": "...",
"utc_time": "2024-10-29T12:47:59.794342920Z"
}
}