Boot or Logon Autostart Execution: Kernel Modules and Extensions T1547.006
Tactics: Persistence, Privilege Escalation
Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.
Events covered
3 catalog events are tagged with this technique by at least one rule.
| Provider | Event | Title |
|---|---|---|
| Sysmon | Event ID 11 | FileCreate |
| Linux-Auditd | Event ID 1300 | SYSCALL |
| Service-Control-Manager | Event ID 7045 | A service was installed in the system. |
Authoring guide
Patterns shared across the 28 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.
Fields filtered most (30 distinct)
The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.
Top indicator values (268 distinct)
Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.
Exclusions (168 distinct)
Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.
Rules under this technique
Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.
Sigma 3 rules
- Kernel Extension Loaded from Temporary Directory
- Loading of Kernel Module via Insmod
- Unsigned Kernel Extension Load Attempt
Elastic 16 rules
- Attempt to Unload Elastic Endpoint Security Kernel Extension
- BPF Program or Map Load via bpftool
- First Time Seen Driver Loaded
- Kernel Driver Load
- Kernel Driver Load by non-root User
- Kernel Load or Unload via Kexec Detected
- Kernel Module Load from Unusual Location
- Kernel Module Load via Built-in Utility
- Kernel Module Removal
- Kernel Object File Creation
- Loadable Kernel Module Configuration File Creation
- Potential Persistence via File Modification
- Suspicious Modprobe File Event
- Suspicious Usage of bpf_probe_write_user Helper
- Tainted Kernel Module Load
- Tainted Out-Of-Tree Kernel Module Load
Splunk 9 rules
- Linux Auditd Insert Kernel Module Using Insmod Utility
- Linux Auditd Install Kernel Module Using Modprobe Utility
- Linux Auditd Kernel Module Using Rmmod Utility
- Linux Auditd Unload Module Via Modprobe
- Linux File Created In Kernel Driver Directory
- Linux Insert Kernel Module Using Insmod Utility
- Linux Install Kernel Module Using Modprobe Utility
- Windows Snake Malware Kernel Driver Comadmin
- Windows Snake Malware Service Create