Kernel

A computer program, at the core of a computer OS, that resides in memory and facilitates interactions between hardware and software components^[1]^[2]

ID: DS0008

ⓘ

Platforms: Linux, macOS

ⓘ

Collection Layer: Host

Contributors: Center for Threat-Informed Defense (CTID)

Version: 1.0

Created: 20 October 2021

Last Modified: 25 April 2025

Version Permalink

Live Version

Data Components

Kernel: Kernel Module Load

The process of loading a kernel module into the operating system kernel. Kernel modules are object files that extend the kernel’s functionality, such as adding support for device drivers, new filesystems, or additional system calls. This action can be legitimate (e.g., loading a driver) or malicious (e.g., adding a rootkit).

Data Collection Measures:

Linux:
- Auditd: Enable auditing of kernel module loading. Example rule: -a always,exit -F arch=b64 -S init_module,delete_module.
- Syslog: Monitor /var/log/syslog or /var/log/messages for entries related to kernel module loads.
- Systemd Journal: Use journalctl to query logs for module loading events: journalctl -k | grep "Loading kernel module"
macOS:
- Unified Logs: Use the log command to query kernel module events: log show --predicate 'eventMessage contains "kextload"' --info
- Endpoint Security Framework (ESF): Monitor for ES_EVENT_TYPE_AUTH_KEXTLOAD (kernel extension loading events).
Kernel-Specific Tools:
- Lsmod: Use lsmod to list loaded kernel modules in real-time.
- Kprobe/eBPF: Use extended Berkeley Packet Filter (eBPF) or Kernel Probes (kprobes) to monitor kernel events, including module loading. Example using eBPF tools like BCC:sudo python /path/to/bcc/tools/kprobe -v do_init_module
Enable EDR Monitoring:
- Configure alerts for: Suspicious kernel module loads from non-standard paths (e.g., /tmp). Unexpected or unsigned kernel modules.
- Review detailed telemetry data provided by the EDR for insight into who initiated the module load, the file path, and whether the module was signed.

Kernel: Kernel Module Load

Data Collection Measures:

Linux:
- Auditd: Enable auditing of kernel module loading. Example rule: -a always,exit -F arch=b64 -S init_module,delete_module.
- Syslog: Monitor /var/log/syslog or /var/log/messages for entries related to kernel module loads.
- Systemd Journal: Use journalctl to query logs for module loading events: journalctl -k | grep "Loading kernel module"
macOS:
- Unified Logs: Use the log command to query kernel module events: log show --predicate 'eventMessage contains "kextload"' --info
- Endpoint Security Framework (ESF): Monitor for ES_EVENT_TYPE_AUTH_KEXTLOAD (kernel extension loading events).
Kernel-Specific Tools:
- Lsmod: Use lsmod to list loaded kernel modules in real-time.
- Kprobe/eBPF: Use extended Berkeley Packet Filter (eBPF) or Kernel Probes (kprobes) to monitor kernel events, including module loading. Example using eBPF tools like BCC:sudo python /path/to/bcc/tools/kprobe -v do_init_module
Enable EDR Monitoring:
- Configure alerts for: Suspicious kernel module loads from non-standard paths (e.g., /tmp). Unexpected or unsigned kernel modules.
- Review detailed telemetry data provided by the EDR for insight into who initiated the module load, the file path, and whether the module was signed.

Domain	ID		Name	Detects
Enterprise	T1547		Boot or Logon Autostart Execution	Monitor for unusual kernel driver installation activity that may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems.
		.006	Kernel Modules and Extensions	LKMs are typically loaded into `/lib/modules` and have had the extension .ko ("kernel object") since version 2.6 of the Linux kernel. ^[3]
Enterprise	T1611		Escape to Host	Monitor for the installation of kernel modules that could be abused to escape containers on a host.

References

Wikipedia. (2018, March 17). Loadable kernel module. Retrieved April 9, 2018.