T1014

Rootkit

Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits intercept and modify operating system API calls to conceal malware activity and can reside at user-space, kernel-space, or firmware levels. Real-world deployments include Drovorub (GRU-attributed Linux kernel rootkit using LKMs), Skidmap (cryptocurrency miner with kernel-mode hooking), TeamTNT's Diamorphine (open-source LKM), Ebury (SSH userland rootkit), Rocke (ld.so.preload hijacking), Umbreon (libc hooking), and Windows-based rootkits from Carberp and Stuxnet. Linux kernel rootkits typically leverage loadable kernel modules (LKMs) or shared library preloading via /etc/ld.so.preload. Windows kernel rootkits abuse driver loading mechanisms. Detection is most effective at installation and loading time — once active, rootkits actively conceal themselves from OS-level enumeration.

Microsoft Sentinel / Defender

kusto

// T1014 Rootkit — Multi-signal, multi-platform detection
// Signal 1: Windows kernel driver service installation from suspicious path (Security Event ID 4697)
let KernelDriverInstall = SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID == 4697
| extend ServiceName = extract(@'<Data Name="ServiceName">([^<]+)</Data>', 1, EventData)
| extend ServiceFileName = extract(@'<Data Name="ServiceFileName">([^<]+)</Data>', 1, EventData)
| extend ServiceType = extract(@'<Data Name="ServiceType">([^<]+)</Data>', 1, EventData)
| where ServiceType in~ ("0x00000001", "0x1", "Kernel Driver")
| extend IsSuspiciousPath = (
    ServiceFileName has_any (@"\\Temp\\", @"\\tmp\\", @"\\Users\\Public\\", @"\\AppData\\", @"\\Downloads\\", @"\\ProgramData\\")
    or not(ServiceFileName startswith @"C:\\Windows\\"))
| where IsSuspiciousPath
| project TimeGenerated, Host = Computer, Account,
          DetectionType = "KernelDriverInstall",
          Indicator = ServiceName,
          Detail = ServiceFileName;
// Signal 2: Driver (.sys) file loaded from non-standard filesystem path (MDE DeviceImageLoadEvents)
let SuspiciousDriverLoad = DeviceImageLoadEvents
| where Timestamp > ago(24h)
| where FileName endswith ".sys"
| where not(FolderPath has_any (
    @"C:\\Windows\\System32\\",
    @"C:\\Windows\\SysWOW64\\",
    @"C:\\Windows\\WinSxS\\",
    @"C:\\Program Files\\",
    @"C:\\Program Files (x86)\\",
    @"C:\\Windows\\servicing\\"
  ))
| project TimeGenerated = Timestamp, Host = DeviceName, Account = AccountName,
          DetectionType = "SuspiciousDriverLoad",
          Indicator = FileName,
          Detail = FolderPath;
// Signal 3: Linux kernel module loading outside package manager context (MDE for Linux)
let LinuxKernelModuleLoad = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("insmod", "modprobe")
| where not(InitiatingProcessFileName in~ (
    "systemd", "apt-get", "apt", "dpkg", "rpm", "yum", "dnf",
    "snap", "pacman", "zypper", "kmod", "update-initramfs", "dracut"
  ))
| project TimeGenerated = Timestamp, Host = DeviceName, Account = AccountName,
          DetectionType = "LinuxKernelModuleLoad",
          Indicator = FileName,
          Detail = ProcessCommandLine;
// Signal 4: Modification of /etc/ld.so.preload — userland rootkit hook point (Rocke, Umbreon, Ebury TTP)
let LdPreloadModification = DeviceFileEvents
| where Timestamp > ago(24h)
| where FolderPath =~ "/etc" and FileName =~ "ld.so.preload"
| where ActionType in~ ("FileCreated", "FileModified")
| project TimeGenerated = Timestamp, Host = DeviceName, Account = AccountName,
          DetectionType = "LdPreloadModification",
          Indicator = FileName,
          Detail = InitiatingProcessCommandLine;
// Combine all signals
union KernelDriverInstall, SuspiciousDriverLoad, LinuxKernelModuleLoad, LdPreloadModification
| sort by TimeGenerated desc

critical severity medium confidence

Data Sources

Driver: Driver Load File: File Creation File: File Modification Process: Process Creation Windows Security Event Log Microsoft Defender for Endpoint

Required Tables

SecurityEvent DeviceImageLoadEvents DeviceProcessEvents DeviceFileEvents

False Positives

Legitimate third-party kernel drivers (VPN clients, hardware manufacturers, security software) installed from staging directories before being moved to C:\Windows\System32\drivers\
Linux infrastructure provisioning via configuration management tools (Ansible, Puppet, Chef) loading expected kernel modules such as nf_tables, overlay, or br_netfilter on new nodes
Containerization and virtualization software (Docker, VirtualBox, VMware) loading kernel modules (vboxdrv.ko, vmwgfx.ko, overlay.ko) during service startup outside package manager context
Security hardening and compliance scanning tools that inspect or recreate /etc/ld.so.preload as part of CIS benchmark enforcement or file integrity verification workflows
Custom in-house kernel modules loaded on specialized appliances, HPC systems, or network gear where non-standard module paths are expected by design

Splunk

spl

// T1014 Rootkit — Windows and Linux multi-source detection
(
  // Windows: New kernel driver service installation (System Event Log 7045)
  (sourcetype="WinEventLog:System" EventCode=7045
   (ServiceType="1" OR ServiceType="kernel driver" OR ServiceType="Kernel Driver"))
  OR
  // Windows: Sysmon EventCode=6 (Driver Loaded) from non-standard path
  (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=6
   NOT (ImageLoaded="C:\\Windows\\System32\\*"
     OR ImageLoaded="C:\\Windows\\SysWOW64\\*"
     OR ImageLoaded="C:\\Windows\\WinSxS\\*"
     OR ImageLoaded="C:\\Program Files\\*"
     OR ImageLoaded="C:\\Program Files (x86)\\*"
     OR ImageLoaded="C:\\Windows\\servicing\\*"))
  OR
  // Linux: auditd kernel module syscalls — insmod calls init_module/finit_module
  (sourcetype="linux_auditd" type=SYSCALL
   (syscall="init_module" OR syscall="finit_module" OR syscall="delete_module"))
  OR
  // Linux: auditd PATH record for /etc/ld.so.preload write (userland rootkit hook)
  (sourcetype="linux_auditd" type=PATH name="/etc/ld.so.preload"
   (nametype="CREATE" OR nametype="NORMAL"))
)
| eval detection_type=case(
    EventCode="7045", "WindowsKernelDriverInstall",
    EventCode="6", "SuspiciousDriverLoad",
    (syscall="init_module" OR syscall="finit_module"), "LinuxKernelModuleLoad",
    syscall="delete_module", "LinuxKernelModuleUnload",
    name="/etc/ld.so.preload", "LdPreloadModification",
    true(), "Unknown"
  )
| eval indicator=coalesce(ServiceName, ImageLoaded, exe, name, "")
| eval account=coalesce(AccountName, auid, uid, "")
| eval ppid_name=coalesce(ParentImage, ppid, "")
| eval is_suspicious_path=if(
    match(lower(indicator),
      "(\\\\temp\\\\|\\\\appdata\\\\|\\\\downloads\\\\|\\\\programdata\\\\|/tmp/|/var/tmp/|/dev/shm/)"),
    1, 0
  )
| eval from_pkg_manager=if(
    match(lower(ppid_name),
      "(systemd|apt|dpkg|rpm|yum|dnf|snap|pacman|zypper|kmod|dracut|update-initramfs)"),
    1, 0
  )
| where detection_type!="LinuxKernelModuleLoad" OR from_pkg_manager=0
| table _time, host, detection_type, indicator, account, is_suspicious_path, ServiceType, syscall, ppid_name, auid
| sort - _time

critical severity medium confidence

Data Sources

Driver: Driver Load File: File Creation File: File Modification Process: Process Creation Sysmon Event ID 6 Linux auditd Windows System Event Log

Required Sourcetypes

WinEventLog:System XmlWinEventLog:Microsoft-Windows-Sysmon/Operational linux_auditd

False Positives

Legitimate kernel driver installations by VPN software, hardware vendors, or security tools that stage driver binaries in user-accessible paths before moving them to the driver store
Linux infrastructure automation (Ansible, Puppet) loading expected kernel modules during node provisioning — these appear as insmod/modprobe outside package manager context
Virtualization software (VirtualBox, VMware, KVM/QEMU) loading kernel modules (vboxdrv.ko, kvm.ko, vmwgfx.ko) during service initialization not triggered by package manager
Security auditing and hardening scripts that write to or inspect /etc/ld.so.preload as part of CIS benchmark compliance or file integrity baseline creation
Kernel module version upgrades during OS patching that trigger delete_module then init_module for the same module — generates both a removal and load event

Elastic Security (EQL)

eql

/* T1014 Rootkit — Multi-signal Elastic EQL detection */
any where
  /* Signal 1: Windows kernel driver service installation from suspicious path (Event 7045 or 4697) */
  (
    event.code in ("7045", "4697") and
    (
      winlog.event_data.ServiceType == "1" or
      winlog.event_data.ServiceType == "0x1" or
      winlog.event_data.ServiceType like~ "*kernel*driver*"
    ) and
    (
      winlog.event_data.ImagePath like~ "*\\\\Temp\\\\*" or
      winlog.event_data.ImagePath like~ "*\\\\AppData\\\\*" or
      winlog.event_data.ImagePath like~ "*\\\\Downloads\\\\*" or
      winlog.event_data.ImagePath like~ "*\\\\ProgramData\\\\*" or
      winlog.event_data.ImagePath like~ "*\\\\Users\\\\Public\\\\*"
    )
  )
  or
  /* Signal 2: Driver (.sys) file loaded from non-standard filesystem path (Sysmon Event 6) */
  (
    event.code == "6" and
    dll.name like~ "*.sys" and
    not (
      dll.path like~ "C:\\\\Windows\\\\System32\\\\*" or
      dll.path like~ "C:\\\\Windows\\\\SysWOW64\\\\*" or
      dll.path like~ "C:\\\\Windows\\\\WinSxS\\\\*" or
      dll.path like~ "C:\\\\Program Files\\\\*" or
      dll.path like~ "C:\\\\Program Files (x86)\\\\*" or
      dll.path like~ "C:\\\\Windows\\\\servicing\\\\*"
    )
  )
  or
  /* Signal 3: Linux kernel module loading outside package manager context */
  (
    event.category == "process" and
    process.name in ("insmod", "modprobe") and
    not process.parent.name in (
      "systemd", "apt-get", "apt", "dpkg", "rpm",
      "yum", "dnf", "snap", "pacman", "zypper",
      "kmod", "update-initramfs", "dracut"
    )
  )
  or
  /* Signal 4: Modification of /etc/ld.so.preload — userland rootkit hook point (Rocke, Umbreon, Ebury TTP) */
  (
    event.category == "file" and
    file.path == "/etc/ld.so.preload" and
    event.type in ("creation", "change")
  )

critical severity medium confidence

Data Sources

Elastic Agent with Windows integration (System and Security event logs) Elastic Sysmon integration (XmlWinEventLog:Microsoft-Windows-Sysmon/Operational) Elastic Agent with Linux integration (auditd or eBPF-based file/process events) Elastic Endgame or Elastic Defend endpoint sensor

Required Tables

logs-system.security-* logs-system.system-* logs-windows.sysmon_operational-* logs-endpoint.events.process-* logs-endpoint.events.file-*

False Positives

Hardware vendor update utilities (Dell Command Update, HP Support Assistant, NVIDIA driver installer) that stage .sys files to %TEMP% before installation and registration via sc.exe — the driver briefly appears in a suspicious path before being moved to System32
Enterprise EDR or DLP products (Carbon Black, Trellix, Symantec) loading their own kernel drivers from a custom installation directory under Program Files that does not exactly match standard whitelist patterns, especially during sensor upgrades
VMware Tools, VirtualBox Guest Additions, or open-vm-tools using modprobe to load vmhgfs/vboxsf/vsock kernel modules where the parent process is a shell script rather than a recognized package manager binary
Ansible, Chef, or Puppet running insmod/modprobe as a child of a Python interpreter or shell to configure kernel networking (e.g., enabling ip_tables or loading br_netfilter for Kubernetes)

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  LOGSOURCETYPENAME(devicetype) AS log_source_type,
  QIDNAME(qid) AS event_name,
  CATEGORYNAME(category) AS event_category,
  "ServiceName",
  "ServiceType",
  "ImagePath",
  "ImageLoaded",
  "syscall",
  "name" AS audit_file_path,
  "nametype",
  "comm" AS parent_process_name,
  "auid",
  CASE
    WHEN eventid = 7045
      AND (LOWER("ServiceType") LIKE '%kernel%'
           OR "ServiceType" = '1'
           OR "ServiceType" = '0x1')
      AND (
        "ImagePath" ILIKE '%\temp\%'
        OR "ImagePath" ILIKE '%\appdata\%'
        OR "ImagePath" ILIKE '%\downloads\%'
        OR "ImagePath" ILIKE '%\programdata\%'
        OR "ImagePath" ILIKE '%\users\public\%'
      )
      THEN 'WindowsKernelDriverInstall'
    WHEN QIDNAME(qid) ILIKE '%Driver Loaded%'
      AND NOT (
        "ImageLoaded" ILIKE 'C:\Windows\System32\%'
        OR "ImageLoaded" ILIKE 'C:\Windows\SysWOW64\%'
        OR "ImageLoaded" ILIKE 'C:\Windows\WinSxS\%'
        OR "ImageLoaded" ILIKE 'C:\Program Files\%'
        OR "ImageLoaded" ILIKE 'C:\Program Files (x86)\%'
        OR "ImageLoaded" ILIKE 'C:\Windows\servicing\%'
      )
      THEN 'SuspiciousDriverLoad'
    WHEN "type" = 'SYSCALL'
      AND "syscall" IN ('init_module', 'finit_module')
      AND NOT (
        "comm" ILIKE 'apt%' OR "comm" ILIKE 'dpkg%'
        OR "comm" = 'rpm' OR "comm" = 'yum' OR "comm" = 'dnf'
        OR "comm" = 'kmod' OR "comm" = 'dracut'
        OR "comm" = 'systemd' OR "comm" = 'pacman'
        OR "comm" = 'zypper' OR "comm" = 'snap'
      )
      THEN 'LinuxKernelModuleLoad'
    WHEN "type" = 'SYSCALL' AND "syscall" = 'delete_module'
      THEN 'LinuxKernelModuleUnload'
    WHEN "type" = 'PATH'
      AND "name" = '/etc/ld.so.preload'
      AND "nametype" IN ('CREATE', 'NORMAL')
      THEN 'LdPreloadModification'
    ELSE 'Unknown'
  END AS detection_type
FROM events
WHERE
  LAST 24 HOURS
  AND (
    /* Signal 1: Windows kernel driver service install from suspicious path (System Event 7045) */
    (
      eventid = 7045
      AND (
        LOWER("ServiceType") LIKE '%kernel%'
        OR "ServiceType" = '1'
        OR "ServiceType" = '0x1'
      )
      AND (
        "ImagePath" ILIKE '%\temp\%'
        OR "ImagePath" ILIKE '%\appdata\%'
        OR "ImagePath" ILIKE '%\downloads\%'
        OR "ImagePath" ILIKE '%\programdata\%'
        OR "ImagePath" ILIKE '%\users\public\%'
      )
    )
    OR
    /* Signal 2: Driver (.sys) loaded from non-standard path (Sysmon EventCode 6 via QRadar DSM) */
    (
      QIDNAME(qid) ILIKE '%Driver Loaded%'
      AND NOT (
        "ImageLoaded" ILIKE 'C:\Windows\System32\%'
        OR "ImageLoaded" ILIKE 'C:\Windows\SysWOW64\%'
        OR "ImageLoaded" ILIKE 'C:\Windows\WinSxS\%'
        OR "ImageLoaded" ILIKE 'C:\Program Files\%'
        OR "ImageLoaded" ILIKE 'C:\Program Files (x86)\%'
        OR "ImageLoaded" ILIKE 'C:\Windows\servicing\%'
      )
    )
    OR
    /* Signal 3: Linux auditd kernel module load syscalls outside package manager */
    (
      "type" = 'SYSCALL'
      AND "syscall" IN ('init_module', 'finit_module', 'delete_module')
      AND NOT (
        "comm" ILIKE 'apt%' OR "comm" ILIKE 'dpkg%'
        OR "comm" = 'rpm' OR "comm" = 'yum' OR "comm" = 'dnf'
        OR "comm" = 'kmod' OR "comm" = 'dracut'
        OR "comm" = 'systemd' OR "comm" = 'pacman'
        OR "comm" = 'zypper' OR "comm" = 'snap'
      )
    )
    OR
    /* Signal 4: auditd PATH write to /etc/ld.so.preload (userland rootkit hook point) */
    (
      "type" = 'PATH'
      AND "name" = '/etc/ld.so.preload'
      AND "nametype" IN ('CREATE', 'NORMAL')
    )
  )
ORDER BY starttime DESC

critical severity medium confidence

Data Sources

Windows System Event Log via QRadar WinCollect agent or Universal DSM Sysmon XML events via QRadar DSM for Microsoft Windows Security Event Log Linux auditd via QRadar Linux OS DSM (SYSCALL and PATH record types) IBM QRadar Universal DSM for custom log sources

Required Tables

events

False Positives

Software installers that unpack .sys driver files to %TEMP% before registering via sc.exe — Event 7045 fires while the ImagePath still points to the temp staging location before the MSI/NSIS installer relocates it
Security operations tooling such as volatility, rekall, or commercial forensic suites running modprobe or insmod during live memory acquisition or malware triage on production Linux systems, where comm does not match any package manager
QRadar's own custom property extraction may fail to parse ServiceType or ImagePath fields from non-English Windows locale deployments, causing false positives when the CASE expression falls through to an incorrect detection_type due to null field values

Sumo Logic CSE

sql

/* T1014 Rootkit — Sumo Logic multi-signal detection */
(_sourceCategory="windows/system" OR _sourceCategory="windows/sysmon" OR _sourceCategory="linux/audit" OR _sourceCategory="*sysmon*" OR _sourceCategory="*auditd*" OR _sourceCategory="*wineventlog*")
| parse regex "(?:EventCode|EventID)[=:]\s*(?P<EventCode>\d+)" nodrop
| parse regex "ServiceType[=:]\s*(?P<ServiceType>[^\r\n\|]+)" nodrop
| parse regex "ServiceName[=:]\s*(?P<ServiceName>[^\r\n\|]+)" nodrop
| parse regex "(?:ImagePath|ServiceFileName|BinaryPathName)[=:]\s*(?P<ImagePath>[^\r\n\|]+)" nodrop
| parse regex "ImageLoaded[=:]\s*(?P<ImageLoaded>[^\r\n\|]+)" nodrop
| parse regex "\btype=(?P<audit_type>\S+)" nodrop
| parse regex "\bsyscall=(?P<syscall>\S+)" nodrop
| parse regex "\bname=(?P<audit_path>/[^\s]+)" nodrop
| parse regex "\bnametype=(?P<nametype>\S+)" nodrop
| parse regex "\bcomm=(?P<comm>[^\s"]+)" nodrop
| parse regex "\bexe=(?P<exe>[^\s]+)" nodrop
| where
    /* Signal 1: Windows kernel driver install from suspicious path (Event 7045) */
    (
      EventCode = "7045"
      and (ServiceType = "1" or ServiceType = "0x1" or toLowerCase(ServiceType) matches ".*kernel.*driver.*")
      and (
        toLowerCase(ImagePath) matches ".*\\\\temp\\\\.*"
        or toLowerCase(ImagePath) matches ".*\\\\appdata\\\\.*"
        or toLowerCase(ImagePath) matches ".*\\\\downloads\\\\.*"
        or toLowerCase(ImagePath) matches ".*\\\\programdata\\\\.*"
        or toLowerCase(ImagePath) matches ".*\\\\users\\\\public\\\\.*"
      )
    )
    or
    /* Signal 2: Driver (.sys) loaded from non-standard path (Sysmon Event 6) */
    (
      EventCode = "6"
      and not (
        toLowerCase(ImageLoaded) matches "c:\\\\windows\\\\system32\\\\.*"
        or toLowerCase(ImageLoaded) matches "c:\\\\windows\\\\syswow64\\\\.*"
        or toLowerCase(ImageLoaded) matches "c:\\\\windows\\\\winsxs\\\\.*"
        or toLowerCase(ImageLoaded) matches "c:\\\\program files\\\\.*"
        or toLowerCase(ImageLoaded) matches "c:\\\\windows\\\\servicing\\\\.*"
      )
    )
    or
    /* Signal 3: Linux auditd kernel module syscall outside package manager */
    (
      audit_type = "SYSCALL"
      and syscall in ("init_module", "finit_module", "delete_module")
      and not comm in ("apt", "apt-get", "dpkg", "rpm", "yum", "dnf", "kmod", "snap", "pacman", "zypper", "dracut", "systemd", "update-initramfs")
    )
    or
    /* Signal 4: Write to /etc/ld.so.preload via auditd PATH record */
    (
      audit_type = "PATH"
      and audit_path = "/etc/ld.so.preload"
      and nametype in ("CREATE", "NORMAL")
    )
| eval detection_type = if(EventCode = "7045", "WindowsKernelDriverInstall",
    if(EventCode = "6", "SuspiciousDriverLoad",
    if(syscall = "init_module" or syscall = "finit_module", "LinuxKernelModuleLoad",
    if(syscall = "delete_module", "LinuxKernelModuleUnload",
    if(audit_path = "/etc/ld.so.preload", "LdPreloadModification", "Unknown")))))
| eval indicator = if(!isNull(ServiceName) and ServiceName != "", ServiceName,
    if(!isNull(ImageLoaded) and ImageLoaded != "", ImageLoaded,
    if(!isNull(exe) and exe != "", exe,
    if(!isNull(audit_path) and audit_path != "", audit_path, ""))))
| fields _time, _sourceHost, detection_type, indicator, ServiceType, ImagePath, ImageLoaded, syscall, audit_path, comm, EventCode
| sort by _time desc

critical severity medium confidence

Data Sources

Sumo Logic Windows Event Log Source (System log, _sourceCategory=windows/system) Sumo Logic Sysmon Event Log Source (_sourceCategory=windows/sysmon or *sysmon*) Sumo Logic Linux Syslog / Auditd Source (_sourceCategory=linux/audit or *auditd*) Sumo Logic Cloud SIEM Enterprise (CSE) for normalized event enrichment

Required Tables

Windows System Event Log source (EventCode 7045) Sysmon event log source (EventCode 6) Linux auditd source with SYSCALL and PATH record types

False Positives

Sumo Logic regex parsers may fail to extract ServiceType or ImagePath from Windows events in non-English locales or when the event format changes across OS versions, leading to missed detections or field mismatches that could misclassify benign events
Container runtime setup scripts (Docker, containerd, CRI-O startup) that use modprobe to load overlay, br_netfilter, or ip_tables kernel modules — the parent comm is typically a shell or container daemon, not a package manager
Performance monitoring or tracing tools that write a shared library path to /etc/ld.so.preload for legitimate LD_PRELOAD-based instrumentation (e.g., jemalloc, tcmalloc, Datadog APM LD_PRELOAD injection for glibc profiling)

Google Chronicle / SecOps

yaral

rule t1014_rootkit_multi_signal {
  meta:
    author = "Argus Detection Engineering"
    description = "T1014 Rootkit: detects kernel driver installation from suspicious paths, Linux LKM loading outside package manager context, and /etc/ld.so.preload modification. Covers Drovorub, Skidmap, Diamorphine, Rocke, Umbreon, and Ebury TTPs."
    severity = "CRITICAL"
    priority = "HIGH"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1014"
    reference = "https://attack.mitre.org/techniques/T1014/"
    version = "1.0"
    created = "2026-04-13"

  events:
    /* Signal 1: Windows kernel driver service installation from suspicious staging path
       Maps to Security Event 4697 or System Event 7045 ingested into UDM as STATUS_UPDATE */
    $win_driver.metadata.event_type = "STATUS_UPDATE"
    $win_driver.metadata.product_event_type = /^(4697|7045)$/
    re.regex(
      $win_driver.target.resource.name,
      `(?i)(\\temp\\|\\appdata\\|\\downloads\\|\\programdata\\|\\users\\public\\)`
    )
    $win_driver.principal.hostname = $host1

    /* Signal 2: Linux kernel module loaded via insmod or modprobe
       outside a recognized package manager parent process */
    $lkm_load.metadata.event_type = "PROCESS_LAUNCH"
    re.regex($lkm_load.target.process.file.full_path, `/(insmod|modprobe)$`)
    not re.regex(
      $lkm_load.principal.process.file.full_path,
      `(systemd|apt-get|apt|dpkg|rpm|yum|dnf|snap|pacman|zypper|kmod|dracut|update.initramfs)`
    )
    $lkm_load.principal.hostname = $host2

    /* Signal 3: Modification or creation of /etc/ld.so.preload
       used by userland rootkits (Rocke, Umbreon, Ebury) to inject shared libraries */
    $ld_preload.metadata.event_type = "FILE_MODIFICATION"
    $ld_preload.target.file.full_path = "/etc/ld.so.preload"
    $ld_preload.principal.hostname = $host3

  condition:
    $win_driver or $lkm_load or $ld_preload
}

critical severity medium confidence

Data Sources

Google Chronicle UDM event stream Windows event log ingestion via Chronicle forwarder (event_type STATUS_UPDATE for 4697/7045) Linux auditd or EDR endpoint agent forwarded to Chronicle (event_type PROCESS_LAUNCH, FILE_MODIFICATION) Microsoft Defender for Endpoint or CrowdStrike Falcon via Chronicle connector

Required Tables

UDM events with metadata.event_type = STATUS_UPDATE and metadata.product_event_type in (4697, 7045) UDM events with metadata.event_type = PROCESS_LAUNCH for insmod/modprobe UDM events with metadata.event_type = FILE_MODIFICATION for /etc/ld.so.preload

False Positives

Legitimate enterprise software deployments (VPN clients such as Cisco AnyConnect or Palo Alto GlobalProtect, backup agents such as Veeam or Commvault) that register Windows kernel mode drivers via sc.exe from installation paths that include ProgramData subdirectories not covered by the standard allowlist
Linux infrastructure agents (Datadog, New Relic, Dynatrace, Falco) loading eBPF helper kernel modules using insmod or modprobe where the parent is a Python or Go binary rather than a package manager — these are common in containerized and cloud-native environments
Authorized red team or penetration testing exercises simulating rootkit installation on designated test hosts within the Chronicle-monitored environment that have not been excluded from the rule scope via hostname allowlist

CrowdStrike LogScale (CQL)

cql

// T1014 Rootkit — CrowdStrike Falcon LogScale (Humio) detection
// Covers Windows suspicious driver loads, Linux LKM loading, and ld.so.preload modification

#event_simpleName in ("DriverLoad", "ProcessRollup2", "SyntheticProcessRollup2", "FileWriteInfo", "FileCreateInfo")
| kvParse()

// Normalize field case for matching
| imageFileName_lc := lower(ImageFileName)
| parentBase_lc := lower(ParentBaseFileName)
| targetFile_lc := lower(TargetFileName)
| fileName_lc := lower(FileName)

| case {
    // Signal 1: Windows kernel driver loaded from suspicious non-standard path
    // DriverLoad fires when a kernel-mode driver .sys is loaded by the OS
    #event_simpleName = "DriverLoad"
    imageFileName_lc = /(\/|\\)(temp|appdata|downloads|programdata|users[\/\\]public)[\/\\]/
    | detection_type := "SuspiciousDriverLoad"
    | indicator := ImageFileName ;

    // Signal 2: Linux kernel module load via insmod or modprobe
    // outside a recognized package manager parent process
    #event_simpleName in ("ProcessRollup2", "SyntheticProcessRollup2")
    fileName_lc in ("insmod", "modprobe")
    NOT parentBase_lc = /(systemd|apt-get|apt|dpkg|rpm|yum|dnf|snap|pacman|zypper|kmod|update-initramfs|dracut)/
    | detection_type := "LinuxKernelModuleLoad"
    | indicator := CommandLine ;

    // Signal 3: Write or creation of /etc/ld.so.preload
    // used by Rocke, Umbreon, Ebury for userland rootkit shared library injection
    #event_simpleName in ("FileWriteInfo", "FileCreateInfo")
    targetFile_lc = "/etc/ld.so.preload"
    | detection_type := "LdPreloadModification"
    | indicator := TargetFileName ;

    // Drop non-matching events
    * | drop() ;
  }

// Enrich with hash for IOC correlation
| table(
    [_time, ComputerName, UserPrincipalName, detection_type, indicator,
     FileName, ImageFileName, TargetFileName, CommandLine,
     ParentBaseFileName, SHA256HashData, ConfigBuild, aid],
    limit = 1000
  )
| sort(_time, order=desc)

critical severity medium confidence

Data Sources

CrowdStrike Falcon Sensor — Windows (DriverLoad, FileWriteInfo events) CrowdStrike Falcon Sensor — Linux (ProcessRollup2, SyntheticProcessRollup2, FileWriteInfo, FileCreateInfo events) CrowdStrike Falcon LogScale SIEM or Falcon Long Term Repository

Required Tables

#event_simpleName = DriverLoad #event_simpleName = ProcessRollup2 #event_simpleName = SyntheticProcessRollup2 #event_simpleName = FileWriteInfo #event_simpleName = FileCreateInfo

False Positives

CrowdStrike Falcon sensor self-updates and sensor component upgrades that trigger DriverLoad events for the cs-falconstore.sys or csagent.sys driver from paths that may temporarily appear non-standard during the update staging process — baseline by SHA256HashData and ConfigBuild fields
Third-party EDR co-existence scenarios where SentinelOne, Tanium, or Absolute Agent kernel drivers load during their installation from custom subdirectories not covered by the regex allowlist in the DriverLoad signal
Linux development or CI/CD build agents compiling and loading custom kernel modules using insmod as part of kernel driver unit tests, where the parent is a Make, GCC, or CI runner process rather than a package manager

Last updated: 2026-04-13 Research depth: deep

References (12)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1014 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Rootkit

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Defense Evasion

Popular Detections