1. Home
  2. Detection Strategies
  3. Detection of Kernel/User-Level Rootkit Behavior Across Platforms

Detection of Kernel/User-Level Rootkit Behavior Across Platforms

Technique Detected:  Rootkit | T1014

ID: DET0377
Domains: Enterprise
Analytics: AN1061, AN1062, AN1063
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN1061

Unauthorized or anomalous loading of kernel-mode drivers or DLLs, concealed services, or abnormal modification of boot components indicative of rootkit activity.

Log Sources
Data Component Name Channel
Driver Load (DC0079) WinEventLog:Sysmon EventCode=6
Service Creation (DC0060) WinEventLog:Security EventCode=7045
File Creation (DC0039) WinEventLog:Sysmon EventCode=11
Mutable Elements
Field Description
DriverSignatureStatus Signed vs unsigned drivers; many environments restrict unsigned drivers, but some legacy systems allow them.
TargetDirectory Suspicious driver or DLL drop locations, e.g., \System32\Drivers\ or \Temp\
UserContext Rootkit installation via admin or SYSTEM account.

AN1062

Abnormal loading of kernel modules, direct tampering with /dev, /proc, or LD_PRELOAD behaviors hiding processes or files.

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:EXECVE None
File Modification (DC0061) linux:osquery file_events
Module Load (DC0016) linux:syslog kmod
Mutable Elements
Field Description
MonitoredDirectories Directories where kernel modules or tampering could be staged (e.g., /lib/modules/).
ModuleNamePattern Regex or heuristic match to anomalous module names (e.g., suspicious entropy or gibberish).
LD_PRELOAD Monitor presence of suspicious preload values that mask processes or files.

AN1063

Execution of unsigned kernel extensions (KEXTs), tampering with LaunchDaemons, or userspace hooks into system libraries.

Log Sources
Data Component Name Channel
Module Load (DC0016) macos:unifiedlog subsystem=com.apple.kextd
Service Creation (DC0060) macos:osquery launch_daemons
File Modification (DC0061) fs:fsevents Extensions
Mutable Elements
Field Description
KextSignatureStatus Allowable level of unsigned/3rd-party kernel extensions varies by organization.
KextLoadOrigin Detect whether the extension was loaded by an untrusted process or non-root user.
AnomalousLaunchAgent Detection tuned based on deviation from known/approved LaunchDaemon plist files.