Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1547.006: Kernel Modules and Extensions

Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.[1]

When used maliciously, LKMs can be a type of kernel-mode Rootkit that run with the highest operating system privilege (Ring 0).[2] Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors, and enabling root access to non-privileged users.[3]

Kernel extensions, also called kext, are used in macOS to load functionality onto a system similar to LKMs for Linux. Since the kernel is responsible for enforcing security and the kernel extensions run as apart of the kernel, kexts are not governed by macOS security policies. Kexts are loaded and unloaded through kextload and kextunload commands. Kexts need to be signed with a developer ID that is granted privileges by Apple allowing it to sign Kernel extensions. Developers without these privileges may still sign kexts but they will not load unless SIP is disabled. If SIP is enabled, the kext signature is verified before being added to the AuxKC.[4]

Since macOS Catalina 10.15, kernel extensions have been deprecated in favor of System Extensions. However, kexts are still allowed as "Legacy System Extensions" since there is no System Extension for Kernel Programming Interfaces.[5]

Adversaries can use LKMs and kexts to conduct Persistence and/or Privilege Escalation on a system. Examples have been found in the wild, and there are some relevant open source projects as well.[6][7][8][9][10][11][12][13]

EnterpriseT1547.006Sub-techniqueObject v1.4 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Kernel modules on Linux and kernel extensions on macOS run at the highest operating-system privilege. If an adversary can make one load at boot, the system may remain compromised while hiding files, processes, network activity, or logs. This matters because normal endpoint and SOC visibility can be weakened by the same component providing persistence or privilege escalation.

Executive priority

Treat this as a high-assurance endpoint integrity issue for Linux and macOS assets, especially servers, developer systems, and other machines where root or administrator misuse would threaten continuity or sensitive intellectual property. Leaders should ask whether privileged account controls, approved kernel/module inventories, macOS kernel-extension governance, and incident response procedures can prove what kernel code is allowed to run and what changed after a suspected compromise.

Technical view

This is ATT&CK T1547.006, a Linux/macOS sub-technique of Boot or Logon Autostart Execution used for persistence and privilege escalation. MITRE does not provide official detection text for this object, but the relationship set includes DET0450, a detection strategy for kernel modules and extensions autostart execution. SOC and IR teams should validate monitoring around loadable kernel modules, macOS kext activity via kextload/kextunload, boot-time module loading, privileged account use, and evidence of rootkit behavior such as hidden processes, files, network activity, or log tampering. Because kernel-mode code can interfere with visibility, host telemetry should be corroborated with trusted baselines, recovery images, and out-of-band evidence where available.

Likely telemetry

  • Linux kernel module inventory and module load/unload evidence
  • macOS kernel extension inventory and kextload/kextunload command activity
  • Boot-time startup and system configuration evidence related to module or extension loading
  • Privileged account activity, especially root or administrative actions preceding module changes
  • Endpoint security and antimalware alerts related to rootkits or unauthorized kernel-level code

Detection direction

  • Build and tune detections around new, unexpected, unsigned, deprecated, or policy-disallowed kernel modules/extensions on Linux and macOS.
  • Compare observed modules/extensions against known-good baselines for each asset class; investigate drift on high-value systems first.
  • Correlate kernel module or kext changes with privileged account activity and boot/logon persistence context from parent technique T1547.
  • Account for false positives from legitimate device drivers, security tools, virtualization components, and approved legacy macOS system extensions.
  • Do not rely only on local host logs; the technique description notes rootkit behaviors including hiding activity and log tampering, so corroboration is important during IR.

Mitigation priorities

  • Prioritize privileged account management and least privilege for root/administrator access, consistent with M1026 and M1018.
  • Restrict execution or loading of unauthorized code where feasible, consistent with M1038, including governance over approved kernel modules and macOS kernel extensions.
  • Maintain antimalware/endpoint protection coverage for Linux and macOS, recognizing that kernel-mode threats may reduce local visibility and require layered validation.
  • For macOS, manage kernel extension approval and legacy system extension use through policy and configuration processes supported by Apple platform guidance referenced by MITRE.
  • Keep an asset-specific inventory of approved drivers, LKMs, and kexts so incident responders can quickly distinguish authorized operational components from suspicious additions.
Analyst notes and limits

Relationship context shows this technique is used by the Skidmap, Drovorub, and REPTILE software entries and by Operation CuckooBees. Those relationships support prioritizing detection engineering and IR playbooks for Linux/macOS kernel-level persistence, but they should not be treated as proof of activity in any local environment without telemetry.

MITRE provides no official detection text in the supplied object. The guidance above is derived from the official description, platforms, tactics, external references, and listed ATT&CK relationships only; local operating-system versions, management tooling, logging configuration, and approved driver/extension inventory are required to determine actual coverage.

Official MITRE ATT&CK definition

Kernel Modules and Extensions

Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.[1]

When used maliciously, LKMs can be a type of kernel-mode Rootkit that run with the highest operating system privilege (Ring 0).[2] Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors, and enabling root access to non-privileged users.[3]

Kernel extensions, also called kext, are used in macOS to load functionality onto a system similar to LKMs for Linux. Since the kernel is responsible for enforcing security and the kernel extensions run as apart of the kernel, kexts are not governed by macOS security policies. Kexts are loaded and unloaded through kextload and kextunload commands. Kexts need to be signed with a developer ID that is granted privileges by Apple allowing it to sign Kernel extensions. Developers without these privileges may still sign kexts but they will not load unless SIP is disabled. If SIP is enabled, the kext signature is verified before being added to the AuxKC.[4]

Since macOS Catalina 10.15, kernel extensions have been deprecated in favor of System Extensions. However, kexts are still allowed as "Legacy System Extensions" since there is no System Extension for Kernel Programming Interfaces.[5]

Adversaries can use LKMs and kexts to conduct Persistence and/or Privilege Escalation on a system. Examples have been found in the wild, and there are some relevant open source projects as well.[6][7][8][9][10][11][12][13]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

2 rows
Domain ID Name Relationship / procedure
Enterprise T1547 Boot or Logon Autostart Execution This object subtechnique of Boot or Logon Autostart Execution.
Enterprise T1215 Kernel Modules and Extensions Kernel Modules and Extensions revoked by this object.
Associated objects

Groups, software, and campaigns

Malware Enterprise

S1219: REPTILE

REPTILE is an open-source Linux rootkit with multiple components that provides backdoor access and functionality.[1]

Linux
Campaign Enterprise

C0012: Operation CuckooBees

Operation CuckooBees was a cyber espionage campaign targeting technology and manufacturing companies in East Asia, Western Europe, and North America since at least 2019. Security researchers noted the goal of Operation CuckooBees, which was still ongoing as of May 2022, was likely the theft of proprietary information, research and development documents, source code, and blueprints for various technologies. Researchers assessed Operation CuckooBees was conducted by actors affiliated with Winnti Group, APT41, and BARIUM.[1]

Relationship explorer

All related ATT&CK context

subtechnique of · Technique T1547: Boot or Logon Autostart Execution Enterprise detects · Detection Strategy DET0450: Detection Strategy for Kernel Modules and Extensions Autostart Execution Enterprise uses · Malware S0502: Drovorub Enterprise mitigates · Mitigation M1026: Privileged Account Management Enterprise revoked by · Technique T1215: Kernel Modules and Extensions Enterprise uses · Malware S0468: Skidmap Enterprise mitigates · Mitigation M1018: User Account Management Enterprise mitigates · Mitigation M1049: Antivirus/Antimalware Enterprise mitigates · Mitigation M1038: Execution Prevention Enterprise uses · Malware S1219: REPTILE Enterprise uses · Campaign C0012: Operation CuckooBees Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1026: Privileged Account Management

Privileged Account Management focuses on implementing policies, controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root, or administrative accounts). This includes restricting access, limiting the scope of permissions, monitoring privileged account usage, and ensuring accountability through logging and auditing.This mitigation can be implemented through the following measures:

Account Permissions and Roles:

- Implement RBAC and least privilege principles to allocate permissions securely. - Use tools like Active Directory Group Policies to enforce access restrictions.

Credential Security:

- Deploy password vaulting tools like CyberArk, HashiCorp Vault, or KeePass for secure storage and rotation of credentials. - Enforce password policies for complexity, uniqueness, and expiration using tools like Microsoft Group Policy Objects (GPO).

Multi-Factor Authentication (MFA):

- Enforce MFA for all privileged accounts using Duo Security, Okta, or Microsoft Azure AD MFA.

Privileged Access Management (PAM):

- Use PAM solutions like CyberArk, BeyondTrust, or Thycotic to manage, monitor, and audit privileged access.

Auditing and Monitoring:

- Integrate activity monitoring into your SIEM (e.g., Splunk or QRadar) to detect and alert on anomalous privileged account usage.

Just-In-Time Access:

- Deploy JIT solutions like Azure Privileged Identity Management (PIM) or configure ephemeral roles in AWS and GCP to grant time-limited elevated permissions.

*Tools for Implementation*

Privileged Access Management (PAM):

- CyberArk, BeyondTrust, Thycotic, HashiCorp Vault.

Credential Management:

- Microsoft LAPS (Local Admin Password Solution), Password Safe, HashiCorp Vault, KeePass.

Multi-Factor Authentication:

- Duo Security, Okta, Microsoft Azure MFA, Google Authenticator.

Linux Privilege Management:

- sudo configuration, SELinux, AppArmor.

Just-In-Time Access:

- Azure Privileged Identity Management (PIM), AWS IAM Roles with session constraints, GCP Identity-Aware Proxy.

Mitigation Enterprise

M1018: User Account Management

User Account Management involves implementing and enforcing policies for the lifecycle of user accounts, including creation, modification, and deactivation. Proper account management reduces the attack surface by limiting unauthorized access, managing account privileges, and ensuring accounts are used according to organizational policies. This mitigation can be implemented through the following measures:

Enforcing the Principle of Least Privilege

- Implementation: Assign users only the minimum permissions required to perform their job functions. Regularly audit accounts to ensure no excess permissions are granted. - Use Case: Reduces the risk of privilege escalation by ensuring accounts cannot perform unauthorized actions.

Implementing Strong Password Policies

- Implementation: Enforce password complexity requirements (e.g., length, character types). Require password expiration every 90 days and disallow password reuse. - Use Case: Prevents adversaries from gaining unauthorized access through password guessing or brute force attacks.

Managing Dormant and Orphaned Accounts

- Implementation: Implement automated workflows to disable accounts after a set period of inactivity (e.g., 30 days). Remove orphaned accounts (e.g., accounts without an assigned owner) during regular account audits. - Use Case: Eliminates dormant accounts that could be exploited by attackers.

Account Lockout Policies

- Implementation: Configure account lockout thresholds (e.g., lock accounts after five failed login attempts). Set lockout durations to a minimum of 15 minutes. - Use Case: Mitigates automated attack techniques that rely on repeated login attempts.

Multi-Factor Authentication (MFA) for High-Risk Accounts

- Implementation: Require MFA for all administrative accounts and high-risk users. Use MFA mechanisms like hardware tokens, authenticator apps, or biometrics. - Use Case: Prevents unauthorized access, even if credentials are stolen.

Restricting Interactive Logins

- Implementation: Restrict interactive logins for privileged accounts to specific secure systems or management consoles. Use group policies to enforce logon restrictions. - Use Case: Protects sensitive accounts from misuse or exploitation.

*Tools for Implementation*

Built-in Tools:

- Microsoft Active Directory (AD): Centralized account management and RBAC enforcement. - Group Policy Object (GPO): Enforce password policies, logon restrictions, and account lockout policies.

Identity and Access Management (IAM) Tools:

- Okta: Centralized user provisioning, MFA, and SSO integration. - Microsoft Azure Active Directory: Provides advanced account lifecycle management, role-based access, and conditional access policies.

Privileged Account Management (PAM): - CyberArk, BeyondTrust, Thycotic: Manage and monitor privileged account usage, enforce session recording, and JIT access.

Mitigation Enterprise

M1049: Antivirus/Antimalware

Antivirus/Antimalware solutions utilize signatures, heuristics, and behavioral analysis to detect, block, and remediate malicious software, including viruses, trojans, ransomware, and spyware. These solutions continuously monitor endpoints and systems for known malicious patterns and suspicious behaviors that indicate compromise. Antivirus/Antimalware software should be deployed across all devices, with automated updates to ensure protection against the latest threats. This mitigation can be implemented through the following measures:

Signature-Based Detection:

- Implementation: Use predefined signatures to identify known malware based on unique patterns such as file hashes, byte sequences, or command-line arguments. This method is effective against known threats. - Use Case: When malware like "Emotet" is detected, its signature (such as a specific file hash) matches a known database of malicious software, triggering an alert and allowing immediate quarantine of the infected file.

Heuristic-Based Detection:

- Implementation: Deploy heuristic algorithms that analyze behavior and characteristics of files and processes to identify potential malware, even if it doesn’t match a known signature. - Use Case: If a program attempts to modify multiple critical system files or initiate suspicious network communications, heuristic analysis may flag it as potentially malicious, even if no specific malware signature is available.

Behavioral Detection (Behavior Prevention):

- Implementation: Use behavioral analysis to detect patterns of abnormal activities, such as unusual system calls, unauthorized file encryption, or attempts to escalate privileges. - Use Case: Behavioral analysis can detect ransomware attacks early by identifying behavior like mass file encryption, even before a specific ransomware signature has been identified.

Real-Time Scanning:

- Implementation: Enable real-time scanning to automatically inspect files and network traffic for signs of malware as they are accessed, downloaded, or executed. - Use Case: When a user downloads an email attachment, the antivirus solution scans the file in real-time, checking it against both signatures and heuristics to detect any malicious content before it can be opened.

Cloud-Assisted Threat Intelligence:

- Implementation: Use cloud-based threat intelligence to ensure the antivirus solution can access the latest malware definitions and real-time threat feeds from a global database of emerging threats. - Use Case: Cloud-assisted antivirus solutions quickly identify newly discovered malware by cross-referencing against global threat databases, providing real-time protection against zero-day attacks.

**Tools for Implementation**:

- Endpoint Security Platforms: Use solutions such as EDR for comprehensive antivirus/antimalware protection across all systems. - Centralized Management: Implement centralized antivirus management consoles that provide visibility into threat activity, enable policy enforcement, and automate updates. - Behavioral Analysis Tools: Leverage solutions with advanced behavioral analysis capabilities to detect malicious activity patterns that don’t rely on known signatures.

Mitigation Enterprise

M1038: Execution Prevention

Prevent the execution of unauthorized or malicious code on systems by implementing application control, script blocking, and other execution prevention mechanisms. This ensures that only trusted and authorized code is executed, reducing the risk of malware and unauthorized actions. This mitigation can be implemented through the following measures:

Application Control:

- Use Case: Use tools like AppLocker or Windows Defender Application Control (WDAC) to create whitelists of authorized applications and block unauthorized ones. On Linux, use tools like SELinux or AppArmor to define mandatory access control policies for application execution. - Implementation: Allow only digitally signed or pre-approved applications to execute on servers and endpoints. (e.g., `New-AppLockerPolicy -PolicyType Enforced -FilePath "C:\Policies\AppLocker.xml"`)

Script Blocking:

- Use Case: Use script control mechanisms to block unauthorized execution of scripts, such as PowerShell or JavaScript. Web Browsers: Use browser extensions or settings to block JavaScript execution from untrusted sources. - Implementation: Configure PowerShell to enforce Constrained Language Mode for non-administrator users. (e.g., `Set-ExecutionPolicy AllSigned`)

Executable Blocking:

- Use Case: Prevent execution of binaries from suspicious locations, such as `%TEMP%` or `%APPDATA%` directories. - Implementation: Block execution of `.exe`, `.bat`, or `.ps1` files from user-writable directories.

Dynamic Analysis Prevention: - Use Case: Use behavior-based execution prevention tools to identify and block malicious activity in real time. - Implemenation: Employ EDR solutions that analyze runtime behavior and block suspicious code execution.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.4
Created
Modified
Raw hash
7a77549b7a456603...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.4 Current bundle 7a77549b7a45…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Linux Kernel Programming

    Pomerantz, O., Salzman, P.. (2003, April 4). The Linux Kernel Module Programming Guide. Retrieved April 6, 2018.

    Open source URL
  2. [2]
    Linux Kernel Module Programming Guide

    Pomerantz, O., Salzman, P. (2003, April 4). Modules vs Programs. Retrieved November 17, 2024.

    Open source URL
  3. [3]
    iDefense Rootkit Overview

    Chuvakin, A. (2003, February). An Overview of Rootkits. Retrieved September 12, 2024.

    Open source URL
  4. [4]
    System and kernel extensions in macOS

    Apple. (n.d.). System and kernel extensions in macOS. Retrieved March 31, 2022.

    Open source URL
  5. [5]
    Apple Kernel Extension Deprecation

    Apple. (n.d.). Deprecated Kernel Extensions and System Extension Alternatives. Retrieved November 4, 2020.

    Open source URL
  6. [6]
    Volatility Phalanx2

    Case, A. (2012, October 10). Phalanx 2 Revealed: Using Volatility to Analyze an Advanced Linux Rootkit. Retrieved April 9, 2018.

    Open source URL
  7. [7]
    CrowdStrike Linux Rootkit

    Kurtz, G. (2012, November 19). HTTP iframe Injecting Linux Rootkit. Retrieved December 21, 2017.

    Open source URL
  8. [8]
    GitHub Reptile

    Augusto, I. (2018, March 8). Reptile - LMK Linux rootkit. Retrieved April 9, 2018.

    Open source URL
  9. [9]
    GitHub Diamorphine

    Mello, V. (2018, March 8). Diamorphine - LMK rootkit for Linux Kernels 2.6.x/3.x/4.x (x86 and x86_64). Retrieved April 9, 2018.

    Open source URL
  10. [10]
    RSAC 2015 San Francisco Patrick Wardle

    Wardle, P. (2015, April). Malware Persistence on OS X Yosemite. Retrieved April 6, 2018.

    Open source URL
  11. [11]
    Synack Secure Kernel Extension Broken

    Wardle, P. (2017, September 8). High Sierra’s ‘Secure Kernel Extension Loading’ is Broken. Retrieved November 17, 2024.

    Open source URL
  12. [12]
    Securelist Ventir

    Mikhail, K. (2014, October 16). The Ventir Trojan: assemble your MacOS spy. Retrieved April 6, 2018.

    Open source URL
  13. [13]
    Trend Micro Skidmap

    Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020.

    Open source URL
  14. [14]
    Apple Developer Configuration Profile

    Apple. (2019, May 3). Configuration Profile Reference. Retrieved September 23, 2021.

    Open source URL
  15. [15]
    Linux Loadable Kernel Module Insert and Remove LKMs

    Henderson, B. (2006, September 24). How To Insert And Remove LKMs. Retrieved November 17, 2024.

    Open source URL
  16. [16]
    Purves Kextpocalypse 2

    Richard Purves. (2017, November 9). MDM and the Kextpocalypse . Retrieved September 23, 2021.

    Open source URL
  17. [17]
    User Approved Kernel Extension Pike’s

    Pikeralpha. (2017, August 29). User Approved Kernel Extension Loading…. Retrieved September 23, 2021.

    Open source URL
  18. [18]
    Wikipedia Loadable Kernel Module

    Wikipedia. (2018, March 17). Loadable kernel module. Retrieved April 9, 2018.

    Open source URL
  19. [19]
    mitre-attack T1547.006
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use