T1547.006

Kernel Modules and Extensions

Persistence Privilege Escalation

Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand, extending kernel functionality without reboot. When used maliciously, LKMs can be a type of kernel-mode rootkit running at Ring 0 with the highest operating system privilege. Common features of LKM-based rootkits include hiding processes, files, and network activity, log tampering, providing backdoors, and enabling root access. On macOS, kernel extensions (kexts) provide similar functionality but are deprecated since Catalina 10.15 in favor of System Extensions. Known malware using this technique includes Drovorub, Skidmap, REPTILE, Diamorphine, and Phalanx.

Microsoft Sentinel / Defender
kusto 
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("insmod", "modprobe", "kextload", "kextutil")
   or (FileName =~ "modinfo" and ProcessCommandLine has_any (".ko", "rootkit", "diamorphine", "reptile"))
| extend ModulePath = extract(@"([\w/\-\.]+\.ko)", 1, ProcessCommandLine)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, ModulePath,
         InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
critical severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Kernel: Kernel Module Load

Required Tables

DeviceProcessEvents

False Positives

  • System boot loading standard kernel modules (e.g., network drivers, filesystem modules, USB drivers)
  • Package manager (apt, yum, dnf) installing kernel module packages that trigger modprobe
  • VirtualBox, VMware, or Docker installing their kernel modules (vboxdrv, vmmon, overlay)
  • DKMS (Dynamic Kernel Module Support) rebuilding modules after kernel updates
Last updated: 2026-04-20 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1547.006 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1547Boot or Logon Autostart Execution

Related Sub-techniques

T1547.001Registry Run Keys / Startup FolderT1547.002Authentication PackageT1547.003Time ProvidersT1547.004Winlogon Helper DLLT1547.005Security Support ProviderT1547.007Re-opened ApplicationsT1547.008LSASS DriverT1547.009Shortcut ModificationT1547.010Port MonitorsT1547.012Print ProcessorsT1547.013XDG Autostart EntriesT1547.014Active SetupT1547.015Login Items

Same Tactic: Persistence

Popular Detections