T1215 · threatengine.sh

Home/ATT&CK Technique/Kernel Modules and Extensions

ATT&CK Technique

Kernel Modules and Extensions

T1215 · persistence

▤ Generate a SIEM detection for T1215 ◈ Vendor-native detections for T1215 ⚠ CVEs mapped to T1215 ♛ Hunt package for T1215 ◎ Check your coverage for T1215

Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system. When used maliciously, Loadable Kernel Modules (LKMs) can be a type of kernel-mode Rootkit that run with the highest operating system privilege (Ring 0). Adversaries can use loadable kernel modules to covertly persist on a system and evade defenses.

Examples have been found in the wild and there are some open source projects. Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors and enabling root access to non-privileged users. Kernel extensions, also called kext, are used for macOS to load functionality onto a system similar to LKMs for Linux.

They are loaded and unloaded through kextload and kextunload commands. Several examples have been found where this can be used. Examples have been found in the wild.

LinuxmacOS

▸ How to use this page - the detection-engineering loop

Attackers have goals (tactics - “get credentials”, “move laterally”) and techniques are the concrete methods they use to reach them. This page is one method - T1215 - broken into everything you need to catch it.

The loop this page is built for (this is the job):

Understand the behaviour - read the description and the Atomic Tests to see exactly what the attacker does on a host or network.
Find the telemetry - what data source would reveal it (process creation, registry, network flow, auth logs). Detection Coverage shows which surfaces already have a rule and which are blind.
Get or write the detection - adapt ready logic (CAR Analytics, SIEM Detections, Falco, or Sigma via Generate a SIEM detection), or author your own.
Test it - run an Atomic Test in a lab and confirm your rule actually fires. A detection you have not tested is a hope, not coverage.
Deploy and tune - push it, then watch for false positives and adjust.

What each panel is for:

Atomic Testssafely reproduce the technique in a lab to validate that a detection fires. Detection Coveragewhich detection surfaces have a rule for this technique; none is a blind spot to close, or simply not applicable (YARA matches files, not network behaviour). CAR / SIEM / Falcoready-made detection logic (Splunk SPL, Elastic EQL, Sentinel KQL, Falco) you adapt to your own SIEM. Mitigationsreduce exposure so the technique is harder to use at all - prevent, not just detect. Actors / Attributionwho actually uses this, so you prioritise by your own threat model. Attack Path / LOTLwhat attackers do before and after this step, and the legitimate tools they abuse to do it.

Where this fits: you usually arrive here from a CVE (“which techniques does it enable”) and leave with a tested detection deployed. The buttons above jump straight to building one, the deployable rules, the CVEs that use T1215, and a hunt package.

◈

Detection Coverage

0/9 layers

Coverage across standard detection surfaces. Rows marked none have no rule of that type mapped. Some are real blind spots worth closing; others are simply not applicable to this technique (e.g. YARA matches malware files, not network behaviour).

Behavioral / log (Sigma) none

Analytics (MITRE CAR) none

Runtime / container (Falco) none

File / malware (YARA) none

Network (Suricata/Snort) none

Vuln scan (Nuclei) none

SIEM (Splunk ESCU) none

SIEM (Elastic) none

SIEM (Azure Sentinel) none

External lookups - second-class, for what we don’t hold ourselves

MITRE ATT&CK Atomic Red Team car (MITRE)