Detect Kernel Modules and Extensions in Microsoft Sentinel
Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand, extending kernel functionality without reboot. When used maliciously, LKMs can be a type of kernel-mode rootkit running at Ring 0 with the highest operating system privilege. Common features of LKM-based rootkits include hiding processes, files, and network activity, log tampering, providing backdoors, and enabling root access. On macOS, kernel extensions (kexts) provide similar functionality but are deprecated since Catalina 10.15 in favor of System Extensions. Known malware using this technique includes Drovorub, Skidmap, REPTILE, Diamorphine, and Phalanx.
MITRE ATT&CK
- Tactic
- Persistence Privilege Escalation
- Technique
- T1547 Boot or Logon Autostart Execution
- Sub-technique
- T1547.006 Kernel Modules and Extensions
- Canonical reference
- https://attack.mitre.org/techniques/T1547/006/
KQL Detection Query
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("insmod", "modprobe", "kextload", "kextutil")
or (FileName =~ "modinfo" and ProcessCommandLine has_any (".ko", "rootkit", "diamorphine", "reptile"))
| extend ModulePath = extract(@"([\w/\-\.]+\.ko)", 1, ProcessCommandLine)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, ModulePath,
InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp descDetects loading of kernel modules on Linux (insmod, modprobe) and macOS (kextload, kextutil). Extracts the .ko module path from the command line for analysis. Any kernel module loading outside of system boot, package installation, or driver updates warrants investigation as it may indicate rootkit deployment.
Data Sources
Required Tables
False Positives & Tuning
- System boot loading standard kernel modules (e.g., network drivers, filesystem modules, USB drivers)
- Package manager (apt, yum, dnf) installing kernel module packages that trigger modprobe
- VirtualBox, VMware, or Docker installing their kernel modules (vboxdrv, vmmon, overlay)
- DKMS (Dynamic Kernel Module Support) rebuilding modules after kernel updates
Other platforms for T1547.006
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Load Kernel Module via insmod
Expected signal: Auditd: SYSCALL event for init_module with exe=/sbin/insmod. Syslog entry for insmod command execution. Process creation event for insmod with the module path argument.
- Test 2Enumerate Loaded Kernel Modules
Expected signal: Process creation events for lsmod and cat /proc/modules. No kernel module loading events.
- Test 3macOS Kext Load Attempt
Expected signal: Process creation event for kextload. macOS unified log entries for kext loading attempt. If SIP is enabled, a denial event is also logged.
References (7)
- https://attack.mitre.org/techniques/T1547/006/
- https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf
- https://github.com/f0rb1dd3n/Reptile
- https://github.com/m0nad/Diamorphine
- https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/
- https://developer.apple.com/support/kernel-extensions/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md
Unlock Pro Content
Get the full detection package for T1547.006 including response playbook, investigation guide, and atomic red team tests.