How to detect fileless kernel compromise in linux



  • Is there a way to detect fileless kernel compromise in Linux?

    The only one way to analyze this kind of attack is by volatility. Volatility is a very good product, but not often updated especially with modern kernels (obviously because kernel change often), so it gives false positives.

    Is there any alternative way to check the running kernel?



  • You do have the possibility to use LKIM in order to measure dynamically the integrity of the kernel. Unlike an antivirus software that uses a database containing signatures, LKIM will check for specific patterns or behavior that could involve malicious deviations. Note that RHEL now has its own kernel integrity sub-system using a similar kind of technology, you can check the full documentation here.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2