T1547.006 Google Chronicle · YARA-L

Detect Kernel Modules and Extensions in Google Chronicle

Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand, extending kernel functionality without reboot. When used maliciously, LKMs can be a type of kernel-mode rootkit running at Ring 0 with the highest operating system privilege. Common features of LKM-based rootkits include hiding processes, files, and network activity, log tampering, providing backdoors, and enabling root access. On macOS, kernel extensions (kexts) provide similar functionality but are deprecated since Catalina 10.15 in favor of System Extensions. Known malware using this technique includes Drovorub, Skidmap, REPTILE, Diamorphine, and Phalanx.

MITRE ATT&CK

Tactic
Persistence Privilege Escalation
Technique
T1547 Boot or Logon Autostart Execution
Sub-technique
T1547.006 Kernel Modules and Extensions
Canonical reference
https://attack.mitre.org/techniques/T1547/006/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule lkm_rootkit_kernel_module_loading {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects suspicious kernel module loading via insmod, modprobe, kextload, or kextutil. Covers known LKM rootkits including Diamorphine, REPTILE, Phalanx, and Drovorub (T1547.006)."
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Persistence"
    mitre_attack_technique = "T1547.006"
    reference = "https://attack.mitre.org/techniques/T1547/006/"
    created = "2026-04-20"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      $e.principal.process.file.full_path = /\/insmod$/ or
      $e.principal.process.file.full_path = /\/modprobe$/ or
      $e.principal.process.file.full_path = /\/kextload$/ or
      $e.principal.process.file.full_path = /\/kextutil$/ or
      (
        $e.principal.process.file.full_path = /\/modinfo$/ and
        (
          $e.target.process.command_line = /\.ko/ or
          $e.target.process.command_line = /rootkit/ or
          $e.target.process.command_line = /diamorphine/ or
          $e.target.process.command_line = /reptile/
        )
      ) or
      $e.target.process.command_line = /(?i)(diamorphine|reptile|phalanx|drovorub|skidmap|hidden|stealth|backdoor)/
    )

  condition:
    $e
}
high severity high confidence

Chronicle YARA-L 2.0 rule detecting kernel module loading via standard Linux utilities and macOS kext tools. Identifies both the execution of kernel module loaders and suspicious module names associated with known LKM-based rootkits that provide persistent Ring 0 access.

Data Sources

Google Chronicle UDMLinux endpoint telemetrymacOS endpoint telemetry

Required Tables

UDM Events (PROCESS_LAUNCH)

False Positives & Tuning

  • IT operations scripts using modprobe to load VPN kernel modules (wireguard, openvpn-tun) during network configuration changes
  • Hardware vendor agents loading proprietary drivers via insmod as part of firmware updates or diagnostics
  • Security research or malware analysis environments where rootkit samples are loaded in isolated VMs for behavioral analysis
Download portable Sigma rule (.yml)

Other platforms for T1547.006

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Load Kernel Module via insmod

    Expected signal: Auditd: SYSCALL event for init_module with exe=/sbin/insmod. Syslog entry for insmod command execution. Process creation event for insmod with the module path argument.

  2. Test 2Enumerate Loaded Kernel Modules

    Expected signal: Process creation events for lsmod and cat /proc/modules. No kernel module loading events.

  3. Test 3macOS Kext Load Attempt

    Expected signal: Process creation event for kextload. macOS unified log entries for kext loading attempt. If SIP is enabled, a denial event is also logged.

Last updated: 2026-04-20 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1547.006 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1547Boot or Logon Autostart Execution

Related Sub-techniques

T1547.001Registry Run Keys / Startup FolderT1547.002Authentication PackageT1547.003Time ProvidersT1547.004Winlogon Helper DLLT1547.005Security Support ProviderT1547.007Re-opened ApplicationsT1547.008LSASS DriverT1547.009Shortcut ModificationT1547.010Port MonitorsT1547.012Print ProcessorsT1547.013XDG Autostart EntriesT1547.014Active SetupT1547.015Login Items

Related Techniques

T1547Boot or Logon Autostart ExecutionT1014RootkitT1562.001Disable or Modify ToolsT1070Indicator RemovalT1543.002Systemd Service

Same Tactic: Persistence

Popular Detections