Detect Kernel Modules and Extensions in Sumo Logic CSE
Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand, extending kernel functionality without reboot. When used maliciously, LKMs can be a type of kernel-mode rootkit running at Ring 0 with the highest operating system privilege. Common features of LKM-based rootkits include hiding processes, files, and network activity, log tampering, providing backdoors, and enabling root access. On macOS, kernel extensions (kexts) provide similar functionality but are deprecated since Catalina 10.15 in favor of System Extensions. Known malware using this technique includes Drovorub, Skidmap, REPTILE, Diamorphine, and Phalanx.
MITRE ATT&CK
- Tactic
- Persistence Privilege Escalation
- Technique
- T1547 Boot or Logon Autostart Execution
- Sub-technique
- T1547.006 Kernel Modules and Extensions
- Canonical reference
- https://attack.mitre.org/techniques/T1547/006/
Sumo Detection Query
_sourceCategory=linux* OR _sourceCategory=syslog* OR _sourceCategory=auditd*
| where _raw matches /insmod|modprobe|init_module|finit_module|kextload|kextutil/
| parse regex field=_raw "(?<kernel_module>[\w/\-]+\.ko)" nodrop
| parse regex field=_raw "(?i)(?<suspicious_name>diamorphine|reptile|phalanx|drovorub|skidmap|hidden|stealth|backdoor|rootkit)" nodrop
| eval is_suspicious = if (!isNull(suspicious_name) OR !isNull(kernel_module) AND suspicious_name != "", 1, 0)
| parse regex field=_raw "(?:exe|comm)=\"?(?<process_name>[\w\-\.]+)\"?" nodrop
| parse regex field=_raw "(?:uid=|auid=)(?<uid>\d+)" nodrop
| fields _messageTime, _sourceHost, process_name, kernel_module, suspicious_name, is_suspicious, uid, _raw
| sort by _messageTime descDetects Linux kernel module loading by parsing syslog and auditd sources for insmod, modprobe, init_module, and finit_module activity. Extracts loaded module paths and flags entries matching known rootkit names including Diamorphine, REPTILE, Phalanx, Drovorub, and Skidmap.
Data Sources
Required Tables
False Positives & Tuning
- Automated kernel module loading by systemd-modules-load.service at boot time for legitimate hardware drivers
- Cloud provider agents (AWS SSM Agent, GCP Ops Agent) that may load kernel modules for monitoring or networking
- Kubernetes node setup scripts using modprobe to load br_netfilter, overlay, and other networking modules required by container runtimes
Other platforms for T1547.006
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Load Kernel Module via insmod
Expected signal: Auditd: SYSCALL event for init_module with exe=/sbin/insmod. Syslog entry for insmod command execution. Process creation event for insmod with the module path argument.
- Test 2Enumerate Loaded Kernel Modules
Expected signal: Process creation events for lsmod and cat /proc/modules. No kernel module loading events.
- Test 3macOS Kext Load Attempt
Expected signal: Process creation event for kextload. macOS unified log entries for kext loading attempt. If SIP is enabled, a denial event is also logged.
References (7)
- https://attack.mitre.org/techniques/T1547/006/
- https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf
- https://github.com/f0rb1dd3n/Reptile
- https://github.com/m0nad/Diamorphine
- https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/
- https://developer.apple.com/support/kernel-extensions/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md
Unlock Pro Content
Get the full detection package for T1547.006 including response playbook, investigation guide, and atomic red team tests.