title: Kernel Modules and Extensions (T1547.006)
id: df00tech-t1547-006
status: experimental
description: "Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand, extending kernel functionality without reboot. When used maliciously, LKMs can be a type of kernel-mode rootkit running at Ring 0 with the highest operating system privilege. Common features of LKM-based rootkits include hiding processes, files, and network activity, log tampering, providing backdoors, and enabling root access. On macOS, kernel extensions (kexts) provide similar functionality but are deprecated since Catalina 10.15 in favor of System Extensions. Known malware using this technique includes Drovorub, Skidmap, REPTILE, Diamorphine, and Phalanx."
references:
  - https://attack.mitre.org/techniques/T1547/006/
  - https://df00tech.com/detections/T1547.006
author: df00tech
date: 2026/04/20
tags:
  - attack.t1547.006
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "System boot loading standard kernel modules (e.g., network drivers, filesystem modules, USB drivers)"
  - "Package manager (apt, yum, dnf) installing kernel module packages that trigger modprobe"
  - "VirtualBox, VMware, or Docker installing their kernel modules (vboxdrv, vmmon, overlay)"
  - DKMS (Dynamic Kernel Module Support) rebuilding modules after kernel updates
level: critical