Detect Kernel Modules and Extensions in IBM QRadar
Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand, extending kernel functionality without reboot. When used maliciously, LKMs can be a type of kernel-mode rootkit running at Ring 0 with the highest operating system privilege. Common features of LKM-based rootkits include hiding processes, files, and network activity, log tampering, providing backdoors, and enabling root access. On macOS, kernel extensions (kexts) provide similar functionality but are deprecated since Catalina 10.15 in favor of System Extensions. Known malware using this technique includes Drovorub, Skidmap, REPTILE, Diamorphine, and Phalanx.
MITRE ATT&CK
- Tactic
- Persistence Privilege Escalation
- Technique
- T1547 Boot or Logon Autostart Execution
- Sub-technique
- T1547.006 Kernel Modules and Extensions
- Canonical reference
- https://attack.mitre.org/techniques/T1547/006/
QRadar Detection Query
SELECT DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
sourceip,
username,
"hostname",
QIDNAME(qid) AS event_name,
UTF8(payload) AS raw_payload
FROM events
WHERE LOGSOURCETYPEID IN (11, 13, 105)
AND devicetime > DATEADD('hour', -24, NOW())
AND (
UTF8(payload) ILIKE '%insmod%'
OR UTF8(payload) ILIKE '%modprobe%'
OR UTF8(payload) ILIKE '%init_module%'
OR UTF8(payload) ILIKE '%finit_module%'
OR UTF8(payload) ILIKE '%kextload%'
OR UTF8(payload) ILIKE '%kextutil%'
OR UTF8(payload) ILIKE '%diamorphine%'
OR UTF8(payload) ILIKE '%reptile%'
OR UTF8(payload) ILIKE '%phalanx%'
OR UTF8(payload) ILIKE '%drovorub%'
OR UTF8(payload) ILIKE '%rootkit%'
OR (UTF8(payload) ILIKE '%.ko%' AND (UTF8(payload) ILIKE '%insmod%' OR UTF8(payload) ILIKE '%modprobe%'))
)
ORDER BY devicetime DESCDetects kernel module loading activity in QRadar by searching Linux syslog and auditd log sources for insmod, modprobe, init_module, and finit_module invocations, as well as .ko file loading and suspicious rootkit-associated module names.
Data Sources
Required Tables
False Positives & Tuning
- DKMS (Dynamic Kernel Module Support) automatically rebuilding and reloading drivers after kernel updates on Ubuntu/RHEL systems
- DevOps tooling such as Ansible or Chef invoking modprobe to configure network drivers or storage modules during provisioning
- Security tools like Falco, osquery, or eBPF-based EDR solutions that load their own kernel modules at startup
Other platforms for T1547.006
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Load Kernel Module via insmod
Expected signal: Auditd: SYSCALL event for init_module with exe=/sbin/insmod. Syslog entry for insmod command execution. Process creation event for insmod with the module path argument.
- Test 2Enumerate Loaded Kernel Modules
Expected signal: Process creation events for lsmod and cat /proc/modules. No kernel module loading events.
- Test 3macOS Kext Load Attempt
Expected signal: Process creation event for kextload. macOS unified log entries for kext loading attempt. If SIP is enabled, a denial event is also logged.
References (7)
- https://attack.mitre.org/techniques/T1547/006/
- https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf
- https://github.com/f0rb1dd3n/Reptile
- https://github.com/m0nad/Diamorphine
- https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/
- https://developer.apple.com/support/kernel-extensions/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md
Unlock Pro Content
Get the full detection package for T1547.006 including response playbook, investigation guide, and atomic red team tests.