Detect Kernel Modules and Extensions in Elastic Security
Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand, extending kernel functionality without reboot. When used maliciously, LKMs can be a type of kernel-mode rootkit running at Ring 0 with the highest operating system privilege. Common features of LKM-based rootkits include hiding processes, files, and network activity, log tampering, providing backdoors, and enabling root access. On macOS, kernel extensions (kexts) provide similar functionality but are deprecated since Catalina 10.15 in favor of System Extensions. Known malware using this technique includes Drovorub, Skidmap, REPTILE, Diamorphine, and Phalanx.
MITRE ATT&CK
- Tactic
- Persistence Privilege Escalation
- Technique
- T1547 Boot or Logon Autostart Execution
- Sub-technique
- T1547.006 Kernel Modules and Extensions
- Canonical reference
- https://attack.mitre.org/techniques/T1547/006/
Elastic Detection Query
process where event.type == "start" and (
process.name in ("insmod", "modprobe", "kextload", "kextutil") or
(process.name == "modinfo" and process.args : ("*.ko", "*rootkit*", "*diamorphine*", "*reptile*")) or
(process.name in ("insmod", "modprobe") and process.args : ("*diamorphine*", "*reptile*", "*phalanx*", "*drovorub*", "*hidden*", "*stealth*", "*backdoor*", "*rootkit*"))
)Detects kernel module loading via insmod, modprobe, kextload, or kextutil, including suspicious module names associated with known LKM rootkits such as Diamorphine, REPTILE, Phalanx, and Drovorub. Kernel modules run at Ring 0 and can hide processes, files, and network activity.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate kernel module installation during system patching or driver updates (e.g., DKMS rebuilding nvidia or VirtualBox modules)
- System administrators loading custom kernel modules for performance tuning or hardware support
- Container runtime or virtualization software (KVM, VMware) that loads kernel modules as part of normal operation
Other platforms for T1547.006
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Load Kernel Module via insmod
Expected signal: Auditd: SYSCALL event for init_module with exe=/sbin/insmod. Syslog entry for insmod command execution. Process creation event for insmod with the module path argument.
- Test 2Enumerate Loaded Kernel Modules
Expected signal: Process creation events for lsmod and cat /proc/modules. No kernel module loading events.
- Test 3macOS Kext Load Attempt
Expected signal: Process creation event for kextload. macOS unified log entries for kext loading attempt. If SIP is enabled, a denial event is also logged.
References (7)
- https://attack.mitre.org/techniques/T1547/006/
- https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf
- https://github.com/f0rb1dd3n/Reptile
- https://github.com/m0nad/Diamorphine
- https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/
- https://developer.apple.com/support/kernel-extensions/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md
Unlock Pro Content
Get the full detection package for T1547.006 including response playbook, investigation guide, and atomic red team tests.