1. Home
  2. Data Sources
  3. Kernel

Kernel

A computer program, at the core of a computer OS, that resides in memory and facilitates interactions between hardware and software components[1][2]

ID: DS0008
Platforms: Linux, macOS
Collection Layer: Host
Contributors: Center for Threat-Informed Defense (CTID)
Version: 1.0
Created: 20 October 2021
Last Modified: 10 November 2021
Version Permalink

Data Components

Kernel: Kernel Module Load

An object file that contains code to extend the running kernel of an OS, typically used to add support for new hardware (as device drivers) and/or filesystems, or for adding system calls

Kernel: Kernel Module Load

An object file that contains code to extend the running kernel of an OS, typically used to add support for new hardware (as device drivers) and/or filesystems, or for adding system calls

Domain ID Name Detects
Enterprise T1547 Boot or Logon Autostart Execution

Monitor for unusual kernel driver installation activity that may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems.
.006 Kernel Modules and Extensions

LKMs are typically loaded into /lib/modules and have had the extension .ko ("kernel object") since version 2.6 of the Linux kernel. [3]
Enterprise T1611 Escape to Host

Monitor for the installation of kernel modules that could be abused to escape containers on a host.

References

  1. Unified Compliance Framework. (2016, December 20). The audit system must be configured to audit the loading and unloading of dynamic kernel modules.. Retrieved September 28, 2021.
  2. Kerrisk, M. (2021, March 22). INIT_MODULE(2). Retrieved September 28, 2021.
  1. Wikipedia. (2018, March 17). Loadable kernel module. Retrieved April 9, 2018.