Detect Kernel Modules and Extensions in CrowdStrike LogScale
Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand, extending kernel functionality without reboot. When used maliciously, LKMs can be a type of kernel-mode rootkit running at Ring 0 with the highest operating system privilege. Common features of LKM-based rootkits include hiding processes, files, and network activity, log tampering, providing backdoors, and enabling root access. On macOS, kernel extensions (kexts) provide similar functionality but are deprecated since Catalina 10.15 in favor of System Extensions. Known malware using this technique includes Drovorub, Skidmap, REPTILE, Diamorphine, and Phalanx.
MITRE ATT&CK
- Tactic
- Persistence Privilege Escalation
- Technique
- T1547 Boot or Logon Autostart Execution
- Sub-technique
- T1547.006 Kernel Modules and Extensions
- Canonical reference
- https://attack.mitre.org/techniques/T1547/006/
LogScale Detection Query
#event_simpleName=ProcessRollup2
| ImageFileName = /(?i)(insmod|modprobe|kextload|kextutil)$/
OR (ImageFileName = /(?i)modinfo$/ AND CommandLine = /\.ko|rootkit|diamorphine|reptile/i)
OR CommandLine = /(?i)(diamorphine|reptile|phalanx|drovorub|skidmap|hidden\.ko|stealth\.ko|backdoor\.ko)/
| regex(field=CommandLine, regex="(?P<kernel_module>[\w/\-]+\.ko)", flags="i")
| eval SuspiciousRootkit = if(CommandLine matches "(?i)(diamorphine|reptile|phalanx|drovorub|skidmap)", "true", "false")
| groupBy([ComputerName, UserName, ImageFileName, CommandLine, kernel_module, SuspiciousRootkit], function=count(aid, as=event_count))
| sort(event_count, order=desc)CrowdStrike LogScale detection for Linux kernel module loading via insmod, modprobe, kextload, and kextutil. Extracts loaded module file paths and identifies known LKM rootkit names in command-line arguments. Groups results by host and user to surface repeated or bulk module loading activity.
Data Sources
Required Tables
False Positives & Tuning
- Package managers (apt, yum, dnf) triggering DKMS to compile and load kernel modules after installing packages that include kernel drivers
- Infrastructure automation tools (Terraform, Puppet, SaltStack) using modprobe as part of node bootstrapping for network or storage configuration
- Legitimate penetration testing or red team exercises on authorized systems where kernel module rootkits are deployed as part of an engagement
Other platforms for T1547.006
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Load Kernel Module via insmod
Expected signal: Auditd: SYSCALL event for init_module with exe=/sbin/insmod. Syslog entry for insmod command execution. Process creation event for insmod with the module path argument.
- Test 2Enumerate Loaded Kernel Modules
Expected signal: Process creation events for lsmod and cat /proc/modules. No kernel module loading events.
- Test 3macOS Kext Load Attempt
Expected signal: Process creation event for kextload. macOS unified log entries for kext loading attempt. If SIP is enabled, a denial event is also logged.
References (7)
- https://attack.mitre.org/techniques/T1547/006/
- https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf
- https://github.com/f0rb1dd3n/Reptile
- https://github.com/m0nad/Diamorphine
- https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/
- https://developer.apple.com/support/kernel-extensions/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md
Unlock Pro Content
Get the full detection package for T1547.006 including response playbook, investigation guide, and atomic red team tests.