1. Home
  2. Detection Strategies
  3. Detection Strategy for Kernel Modules and Extensions Autostart Execution

Detection Strategy for Kernel Modules and Extensions Autostart Execution

Technique Detected:  Kernel Modules and Extensions | T1547.006

ID: DET0450
Domains: Enterprise
Analytics: AN1243, AN1244
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN1243

Monitor kernel module load/unload activity via modprobe, insmod, rmmod, or direct manipulation of /lib/modules. Correlate with installation of kernel headers, compilation commands, or downloads of .ko files. Detect anomalies in unsigned module loading or repeated module load attempts under non-root users.

Log Sources
Data Component Name Channel
Command Execution (DC0064) auditd:SYSCALL Execution of insmod, modprobe, or rmmod commands by non-standard users or outside expected timeframes
File Creation (DC0039) auditd:SYSCALL Access or modification to /lib/modules or creation of .ko files
File Modification (DC0061) linux:osquery New or modified kernel object files (.ko) within /lib/modules directory
Mutable Elements
Field Description
UserContext Scope detection to non-root or unexpected users performing module-related activity
TimeWindow Limit alerts to module activity outside approved change windows
FilePathRegex Adjust regex pattern for directories to monitor depending on kernel version or distro

AN1244

Detect user-initiated kextload commands or modifications to /Library/Extensions. Correlate with changes to KextPolicy database or unauthorized developer signing identities. Alert on attempts to disable SIP or load legacy extensions from unsigned sources.

Log Sources
Data Component Name Channel
Command Execution (DC0064) macos:unifiedlog kextload execution from Terminal or suspicious paths
Process Creation (DC0032) macos:osquery Processes executing kextload, spctl, or modifying kernel extension directories
Kernel Module Load (DC0031) macos:osquery New kext entries not signed by Apple or outside standard identifier prefix
File Modification (DC0061) macos:osquery Modifications to /var/db/SystemPolicyConfiguration/KextPolicy or kext_policy table
Mutable Elements
Field Description
DeveloperIDAllowlist Approved developer IDs whose kexts should not trigger alerts
KextLoadTimeWindow Threshold for detecting kext loads outside standard install/update operations
SignatureCheckFlag Flag to enforce strict signing checks depending on SIP status