register Netfilter hook on Linux

edit on GitHub
search on VirusTotal

rule:
  meta:
    name: register Netfilter hook on Linux
    namespace: host-interaction/network
    authors:
      - aryanyk
    description: kernel rootkits can register Netfilter hooks to inspect or modify packet flow
    scopes:
      static: instruction
      dynamic: call
    att&ck:
      - Defense Evasion::Impair Defenses [T1562]
    references:
      - https://inferi.club/post/the-art-of-linux-kernel-rootkits
      - https://www.kernel.org/doc/html/latest/networking/netfilter.html
  features:
    - and:
      - os: linux
      - or:
        - api: nf_register_net_hook
        - api: nf_register_hook

last edited: 2026-03-27 17:03:16