Kernel Modules and Extensions (T1215)

View on ATT&CK

In Playbook

Technique & Subtechniques

  • Kernel Modules and Extensions

Associated Tactics

  • Persistence

Persistence (TA0003)

The adversary is trying to maintain their foothold. Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Techniques used for persistence include any access, action, or configuration changes that let them maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code.

View on ATT&CK

Procedure Examples

Description Source(s)
Pomerantz, O., Salzman, P.. (2003, April 4). The Linux Kernel Module Programming Guide. Retrieved April 6, 2018. Linux Kernel Programming
Pomerantz, O., Salzman, P. (2003, April 4). Modules vs Programs. Retrieved April 6, 2018. Linux Kernel Module Programming Guide
Case, A. (2012, October 10). Phalanx 2 Revealed: Using Volatility to Analyze an Advanced Linux Rootkit. Retrieved April 9, 2018. Volatility Phalanx2
Kurtz, G. (2012, November 19). HTTP iframe Injecting Linux Rootkit. Retrieved December 21, 2017. CrowdStrike Linux Rootkit
Augusto, I. (2018, March 8). Reptile - LMK Linux rootkit. Retrieved April 9, 2018. GitHub Reptile
Mello, V. (2018, March 8). Diamorphine - LMK rootkit for Linux Kernels 2.6.x/3.x/4.x (x86 and x86_64). Retrieved April 9, 2018. GitHub Diamorphine
Chuvakin, A. (2003, February). An Overview of Rootkits. Retrieved April 6, 2018. iDefense Rootkit Overview
Wardle, P. (2015, April). Malware Persistence on OS X Yosemite. Retrieved April 6, 2018. RSAC 2015 San Francisco Patrick Wardle
Wardle, P. (2017, September 8). High Sierra’s ‘Secure Kernel Extension Loading’ is Broken. Retrieved April 6, 2018. Synack Secure Kernel Extension Broken
Mikhail, K. (2014, October 16). The Ventir Trojan: assemble your MacOS spy. Retrieved April 6, 2018. Securelist Ventir
Wikipedia. (2018, March 17). Loadable kernel module. Retrieved April 9, 2018. Wikipedia Loadable Kernel Module
Henderson, B. (2006, September 24). How To Insert And Remove LKMs. Retrieved April 9, 2018. Linux Loadable Kernel Module Insert and Remove LKMs