Loading of Kernel Module via Insmod
Detects loading of kernel modules with insmod command. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. Adversaries may use LKMs to obtain persistence within the system or elevate the privileges.
Sigma rule (View on GitHub)
1title: Loading of Kernel Module via Insmod
2id: 106d7cbd-80ff-4985-b682-a7043e5acb72
3status: test
4description: |
5 Detects loading of kernel modules with insmod command.
6 Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand.
7 Adversaries may use LKMs to obtain persistence within the system or elevate the privileges.
8references:
9 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.006/T1547.006.md
10 - https://linux.die.net/man/8/insmod
11 - https://man7.org/linux/man-pages/man8/kmod.8.html
12author: 'Pawel Mazur'
13date: 2021-11-02
14modified: 2022-12-25
15tags:
16 - attack.persistence
17 - attack.privilege-escalation
18 - attack.t1547.006
19logsource:
20 product: linux
21 service: auditd
22detection:
23 selection:
24 type: 'SYSCALL'
25 comm: insmod
26 exe: /usr/bin/kmod
27 condition: selection
28falsepositives:
29 - Unknown
30level: high
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More -
HTML rendering created 2025-09-06 by Michael Kerrisk, author of The Linux Programming Interface. For details of in-depth Linux/UNIX system programming training courses that I teach, look here. Host...
Read More
Related rules
- Abuse of Service Permissions to Hide Services Via Set-Service
- Abuse of Service Permissions to Hide Services Via Set-Service - PS
- Activity From Anonymous IP Address
- App Granted Privileged Delegated Or App Permissions
- Application Using Device Code Authentication Flow