DET0450: Detection Strategy for Kernel Modules and Extensions Autostart Execution
DET0450 matters because it is tied to attempts to gain persistence or elevated capability by loading kernel modules or extensions at boot on Linux and macO...
Analyst context for executives and security teams
DET0450 matters because it is tied to attempts to gain persistence or elevated capability by loading kernel modules or extensions at boot on Linux and macOS systems. For leaders, the practical issue is not just malware detection; it is whether critical endpoints and servers have enough low-level visibility to prove that kernel-level autostart behavior is authorized, reviewed, and recoverable during an incident.
Executive priority
Prioritize this as a resilience and assurance question for Linux and macOS assets that support business-critical operations. Security leaders should ask whether teams can inventory approved kernel modules/extensions, detect unexpected boot-time loading behavior, and produce evidence for incident response or compliance reviews. Because kernel-level activity can sit below many ordinary application controls, coverage gaps can materially affect containment confidence and recovery decisions.
Technical view
The ATT&CK detection strategy has no official detection text or platform list of its own, but it detects technique T1547.006, Kernel Modules and Extensions, associated with persistence and privilege escalation on macOS and Linux. SOC and IR teams should validate telemetry around kernel module or extension inventory, load/unload events, boot-time persistence locations or configurations, privileged file changes, and administrative actions that alter kernel extension/module behavior. Detection engineering should focus on deviations from known-good baselines rather than generic matching alone.
Likely telemetry
- Linux kernel module inventory and load/unload event evidence
- macOS kernel extension or system extension inventory and load evidence where available
- Boot and startup configuration changes related to module or extension loading
- File integrity or change telemetry for privileged module/extension paths and configuration files
- Process, command, and administrative session logs showing privileged changes
Detection direction
- Build or validate baselines of approved kernel modules/extensions for critical Linux and macOS assets.
- Alert on newly observed, unsigned, unexpected, or rarely seen modules/extensions where local policy and telemetry support that distinction.
- Correlate module/extension changes with privileged user activity, software installation, maintenance windows, and boot events to reduce false positives.
- Confirm whether endpoint tooling can observe kernel-level autostart behavior; many visibility gaps appear only after an incident test or forensic review.
- Use the relationship to T1547.006 to frame detections around persistence and privilege-escalation investigation paths rather than treating events as isolated configuration changes.
Mitigation priorities
- Define ownership and approval processes for kernel modules/extensions on Linux and macOS systems.
- Maintain an authorized baseline for critical systems and review drift regularly.
- Restrict privileged administrative ability to install or modify kernel-level components using least privilege and change control.
- Collect and retain sufficient endpoint, boot, administrative, and file-change telemetry to support investigation.
- Test incident response procedures for validating, isolating, and restoring systems with suspicious kernel-level persistence indicators.
Analyst notes and limits
MITRE provides the detection strategy identifier DET0450 and the relationship showing it detects T1547.006. The supplied detection-strategy object does not include an official description, official detection logic, tactics, or platforms; platform and tactic context comes from the related ATT&CK technique only.
This take is limited to the supplied STIX fields, external reference, and relationship context. It does not assert active exploitation, adversary attribution, vendor-specific coverage, or guaranteed detection. Local asset inventory, operating system versions, endpoint tooling capabilities, and approved module/extension baselines are required to make this operational.
Detection Strategy for Kernel Modules and Extensions Autostart Execution
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1547.006 | Kernel Modules and Extensions Sub-technique | This object detects Kernel Modules and Extensions. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 3e304b7c9154… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0450Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.