Techniques
Sample rules
Special File Creation via Mknod Syscall
- source: sigma
- technicques:
- t1543
- t1543.003
Description
Detects usage of the mknod syscall to create special files (e.g., character or block devices).
Attackers or malware might use mknod to create fake devices, interact with kernel interfaces,
or establish covert channels in Linux systems.
Monitoring the use of mknod is important because this syscall is rarely used by legitimate applications,
and it can be abused to bypass file system restrictions or create backdoors.
Detection logic
condition: selection
selection:
syscall: mknod
type: SYSCALL