EXPLORE
Sign In
← Back to Explore
T1547.006

Kernel Modules and Extensions

Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.(Citation: Linux Kernel Programming)  When used maliciously, LKMs can be a type of kernel-mode [Root...

macOSLinux
25
Detections
3
Sources
0
Threat Actors

BY SOURCE

15elastic9splunk_escu1sigma

PROCEDURES (14)

Kernel Monitoring5 detections

Auto-extracted: 5 detections for kernel monitoring

Bypass4 detections

Auto-extracted: 4 detections for bypass

Unusual3 detections

Auto-extracted: 3 detections for unusual

Evasion2 detections

Auto-extracted: 2 detections for evasion

Driver2 detections

Auto-extracted: 2 detections for driver

Process Creation Monitoring1 detections

Auto-extracted: 1 detections for process creation monitoring

Tamper1 detections

Auto-extracted: 1 detections for tamper

Persist1 detections

Auto-extracted: 1 detections for persist

Privilege1 detections

Auto-extracted: 1 detections for privilege

Service1 detections

Auto-extracted: 1 detections for service

Driver1 detections

Auto-extracted: 1 detections for driver

Service1 detections

Auto-extracted: 1 detections for service

Tamper1 detections

Auto-extracted: 1 detections for tamper

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

DETECTIONS (25)

Attempt to Unload Elastic Endpoint Security Kernel Extension
elastichigh
BPF Program or Map Load via bpftool
elasticmedium
First Time Seen Driver Loaded
elasticmedium
Kernel Driver Load
elasticlow
Kernel Driver Load by non-root User
elasticmedium
Kernel Load or Unload via Kexec Detected
elasticmedium
Kernel Module Load from Unusual Location
elastichigh
Kernel Module Load via Built-in Utility
elasticmedium
Kernel Module Removal
elasticlow
Kernel Object File Creation
elasticlow
Linux Auditd Insert Kernel Module Using Insmod Utility
splunk_escu
Linux Auditd Install Kernel Module Using Modprobe Utility
splunk_escu
Linux Auditd Kernel Module Using Rmmod Utility
splunk_escu
Linux Auditd Unload Module Via Modprobe
splunk_escu
Linux File Created In Kernel Driver Directory
splunk_escu
Linux Insert Kernel Module Using Insmod Utility
splunk_escu
Linux Install Kernel Module Using Modprobe Utility
splunk_escu
Loadable Kernel Module Configuration File Creation
elasticmedium
Loading of Kernel Module via Insmod
sigmahigh
Potential Persistence via File Modification
elasticlow
Suspicious Usage of bpf_probe_write_user Helper
elastichigh
Tainted Kernel Module Load
elasticmedium
Tainted Out-Of-Tree Kernel Module Load
elasticmedium
Windows Snake Malware Kernel Driver Comadmin
splunk_escu
Windows Snake Malware Service Create
splunk_escu