Add nursery rules for Linux kernel rootkit techniques

Author: aryanyk

nursery/escalate-privileges-via-commit_creds-on-linux.yml

@@ -0,0 +1,21 @@
+rule:
+  meta:
+    name: escalate privileges via commit_creds on Linux
+    namespace: host-interaction/privilege
+    authors:
+      - Aryan Khandhadiya
+    description: detect Linux kernel modules that escalate privileges using prepare_kernel_cred and commit_creds, a technique commonly used by rootkits
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Privilege Escalation::Exploitation for Privilege Escalation [T1068]
+    references:
+      - https://inferi.club/post/the-art-of-linux-kernel-rootkits
+      - https://www.kernel.org/doc/html/latest/security/credentials.html
+
+  features:
+    - and:
+      - os: linux
+      - api: prepare_kernel_cred
+      - api: commit_creds

nursery/register-netfilter-hook-on-linux.yml

@@ -0,0 +1,22 @@
+rule:
+  meta:
+    name: register Netfilter hook on Linux
+    namespace: host-interaction/network
+    authors:
+      - Aryan Khandhadiya
+    description: kernel rootkits can register Netfilter hooks to inspect or modify packet flow
+    scopes:
+      static: function
+      dynamic: call
+    att&ck:
+      - Defense Evasion::Impair Defenses [T1562]
+    references:
+      - https://inferi.club/post/the-art-of-linux-kernel-rootkits
+      - https://www.kernel.org/doc/html/latest/networking/netfilter.html
+
+  features:
+    - and:
+      - os: linux
+      - or:
+        - api: nf_register_net_hook
+        - api: nf_register_hook