Куда я попал?
SECURITM это система для корпоративных служб информационной безопасности, которая автоматизирует ключевые процессы управления: контроль соответствия требованиям, управление рисками, учет активов, планирование работ, задачи, технические уязвимости, опросы и т.д.
SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом в рамках сообщества служб безопасности.

Boot or Logon Autostart Execution:  Модули и расширения ядра

Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.(Citation: Linux Kernel Programming)  When used maliciously, LKMs can be a type of kernel-mode Rootkit that run with the highest operating system privilege (Ring 0).(Citation: Linux Kernel Module Programming Guide) Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors, and enabling root access to non-privileged users.(Citation: iDefense Rootkit Overview) Kernel extensions, also called kext, are used in macOS to load functionality onto a system similar to LKMs for Linux. Since the kernel is responsible for enforcing security and the kernel extensions run as apart of the kernel, kexts are not governed by macOS security policies. Kexts are loaded and unloaded through kextload and kextunload commands. Kexts need to be signed with a developer ID that is granted privileges by Apple allowing it to sign Kernel extensions. Developers without these privileges may still sign kexts but they will not load unless SIP is disabled. If SIP is enabled, the kext signature is verified before being added to the AuxKC.(Citation: System and kernel extensions in macOS) Since macOS Catalina 10.15, kernel extensions have been deprecated in favor of System Extensions. However, kexts are still allowed as "Legacy System Extensions" since there is no System Extension for Kernel Programming Interfaces.(Citation: Apple Kernel Extension Deprecation) Adversaries can use LKMs and kexts to conduct Persistence and/or Privilege Escalation on a system. Examples have been found in the wild, and there are some relevant open source projects as well.(Citation: Volatility Phalanx2)(Citation: CrowdStrike Linux Rootkit)(Citation: GitHub Reptile)(Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle)(Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir)(Citation: Trend Micro Skidmap)

ID: T1547.006
Относится к технике:  T1547
Тактика(-и): Persistence, Privilege Escalation
Платформы: Linux, macOS
Требуемые разрешения: root
Источники данных: Command: Command Execution, File: File Creation, File: File Modification, Kernel: Kernel Module Load, Process: Process Creation
Версия: 1.3
Дата создания: 24 Jan 2020
Последнее изменение: 20 Apr 2022

Примеры процедур

Название Описание

Drovorub can use kernel modules to establish persistence.(Citation: NSA/FBI Drovorub August 2020)


Skidmap has the ability to install several loadable kernel modules (LKMs) on infected machines.(Citation: Trend Micro Skidmap)

During Operation CuckooBees, attackers used a signed kernel rootkit to establish additional persistence.(Citation: Cybereason OperationCuckooBees May 2022)


Контрмера Описание
Privileged Account Management

Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.

User Account Management

Manage the creation, modification, use, and permissions associated to user accounts.


Use signatures or heuristics to detect malicious software.

Execution Prevention

Block execution of code on a system through application control, and/or script blocking.


Loading, unloading, and manipulating modules on Linux systems can be detected by monitoring for the following commands: modprobe, insmod, lsmod, rmmod, or modinfo (Citation: Linux Loadable Kernel Module Insert and Remove LKMs) LKMs are typically loaded into /lib/modules and have had the extension .ko ("kernel object") since version 2.6 of the Linux kernel. (Citation: Wikipedia Loadable Kernel Module) Adversaries may run commands on the target system before loading a malicious module in order to ensure that it is properly compiled. (Citation: iDefense Rootkit Overview) Adversaries may also execute commands to identify the exact version of the running Linux kernel and/or download multiple versions of the same .ko (kernel object) files to use the one appropriate for the running system.(Citation: Trend Micro Skidmap) Many LKMs require Linux headers (specific to the target kernel) in order to compile properly. These are typically obtained through the operating systems package manager and installed like a normal package. On Ubuntu and Debian based systems this can be accomplished by running: apt-get install linux-headers-$(uname -r) On RHEL and CentOS based systems this can be accomplished by running: yum install kernel-devel-$(uname -r) On macOS, monitor for execution of kextload commands and user installed kernel extensions performing abnormal and/or potentially malicious activity (such as creating network connections). Monitor for new rows added in the kext_policy table. KextPolicy stores a list of user approved (non Apple) kernel extensions and a partial history of loaded kernel modules in a SQLite database, /var/db/SystemPolicyConfiguration/KextPolicy.(Citation: User Approved Kernel Extension Pike’s)(Citation: Purves Kextpocalypse 2)(Citation: Apple Developer Configuration Profile)


  1. Wikipedia. (2018, March 17). Loadable kernel module. Retrieved April 9, 2018.
  2. Wardle, P. (2017, September 8). High Sierra’s ‘Secure Kernel Extension Loading’ is Broken. Retrieved April 6, 2018.
  3. Wardle, P. (2015, April). Malware Persistence on OS X Yosemite. Retrieved April 6, 2018.
  4. Richard Purves. (2017, November 9). MDM and the Kextpocalypse . Retrieved September 23, 2021.
  5. Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020.
  6. Pomerantz, O., Salzman, P.. (2003, April 4). The Linux Kernel Module Programming Guide. Retrieved April 6, 2018.
  7. Pomerantz, O., Salzman, P. (2003, April 4). Modules vs Programs. Retrieved April 6, 2018.
  8. Pikeralpha. (2017, August 29). User Approved Kernel Extension Loading…. Retrieved September 23, 2021.
  9. Mikhail, K. (2014, October 16). The Ventir Trojan: assemble your MacOS spy. Retrieved April 6, 2018.
  10. Mello, V. (2018, March 8). Diamorphine - LMK rootkit for Linux Kernels 2.6.x/3.x/4.x (x86 and x86_64). Retrieved April 9, 2018.
  11. Kurtz, G. (2012, November 19). HTTP iframe Injecting Linux Rootkit. Retrieved December 21, 2017.
  12. Henderson, B. (2006, September 24). How To Insert And Remove LKMs. Retrieved April 9, 2018.
  13. Chuvakin, A. (2003, February). An Overview of Rootkits. Retrieved April 6, 2018.
  14. Case, A. (2012, October 10). Phalanx 2 Revealed: Using Volatility to Analyze an Advanced Linux Rootkit. Retrieved April 9, 2018.
  15. Augusto, I. (2018, March 8). Reptile - LMK Linux rootkit. Retrieved April 9, 2018.
  16. Apple. (n.d.). System and kernel extensions in macOS. Retrieved March 31, 2022.
  17. Apple. (n.d.). Deprecated Kernel Extensions and System Extension Alternatives. Retrieved November 4, 2020.
  18. Apple. (2019, May 3). Configuration Profile Reference. Retrieved September 23, 2021.
  19. NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020.
  20. Cybereason Nocturnus. (2022, May 4). Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques. Retrieved September 22, 2022.
  21. Wikibooks. (2018, August 19). Grsecurity/The RBAC System. Retrieved June 4, 2020.
  22. Vander Stoep, J. (2016, April 5). [v3] selinux: restrict kernel module loadinglogin register. Retrieved April 9, 2018.
  23. Pingios, A.. (2018, February 7). LKM loading kernel restrictions. Retrieved June 4, 2020.
  24. Kernel.org. (2020, February 6). Kernel Self-Protection. Retrieved June 4, 2020.
  25. Boelen, M. (2015, October 7). Increase kernel integrity with disabled Linux kernel modules loading. Retrieved June 4, 2020.
  26. Murilo, N., Steding-Jessen, K. (2017, August 23). Chkrootkit. Retrieved April 9, 2018.
  27. Rootkit Hunter Project. (2018, February 20). The Rootkit Hunter project. Retrieved April 9, 2018.
  28. Apple. (2019, May 3). Configuration Profile Reference, Developer. Retrieved April 15, 2022.
  29. Apple. (2018, April 19). Technical Note TN2459: User-Approved Kernel Extension Loading. Retrieved June 30, 2020.

Связанные риски