Kernel Modules and Extensions

Kernel Modules and Extensions [T1547.006]

Information

Name: Kernel Modules and Extensions
ID: T1547.006
Tactics: ,
Technique:

Introduction

Kernel Modules and Extensions (T1547.006) is a sub-technique under the MITRE ATT&CK framework categorized within the Persistence tactic. This sub-technique involves attackers loading malicious kernel modules or extensions into operating system kernels to achieve persistence, escalate privileges, and maintain covert access. Kernel modules or extensions typically have high privileges, providing attackers with deep system-level control, making detection and remediation challenging.

Deep Dive Into Technique

Kernel modules (Linux) and kernel extensions (Windows/macOS) are components dynamically loaded into the kernel, extending its functionality. Attackers exploit this capability to inject malicious code directly into the kernel space, bypassing traditional user-space security mechanisms.

Technical details include:

Loading Malicious Modules/Extensions:
- Linux: Attackers use commands like insmod, modprobe, or manipulate /etc/modules or /etc/modprobe.d/ files.
- Windows: Malicious kernel-mode drivers loaded through tools like sc.exe, direct registry edits, or exploitation of driver signing vulnerabilities.
- macOS: Attackers may leverage kernel extensions (kexts) placed within /Library/Extensions/ or /System/Library/Extensions/.
Persistence and Privilege Escalation:
- Malicious kernel modules/extensions load at boot, ensuring persistent access.
- Kernel-level access enables attackers to escalate privileges, intercept system calls, hide processes, and manipulate network traffic.
Stealth and Anti-Detection Mechanisms:
- Rootkits often reside in kernel space to evade detection from antivirus and endpoint protection tools.
- Attackers may obfuscate malicious modules/extensions by naming them similarly to legitimate system components or signing them with compromised certificates.

When this Technique is Usually Used

Attackers typically utilize kernel modules and extensions during various stages of an intrusion, including:

Persistence Stage:
- Ensuring continuous access even after system reboots or security measures.
- Creating backdoors that are difficult to detect and remove.
Privilege Escalation Stage:
- Gaining higher-level privileges (root or SYSTEM) to perform advanced malicious activities.
Defense Evasion Stage:
- Hiding malicious activities from security monitoring tools.
- Intercepting and manipulating system calls to conceal malicious processes, files, and network connections.
Advanced Persistent Threat (APT) Campaigns:
- Nation-state or sophisticated cybercriminal groups frequently employ kernel-level techniques for covert, long-term operations.

How this Technique is Usually Detected

Detection of malicious kernel modules or extensions requires specialized security monitoring and analysis techniques, including:

Kernel Module Monitoring:
- Regularly auditing loaded modules/extensions using tools like lsmod (Linux), driverquery (Windows), or kextstat (macOS).
- Monitoring kernel module loading/unloading events via system logs and audit frameworks (e.g., Linux AuditD, Windows Event Logs).
Integrity Checking and Whitelisting:
- Maintaining whitelists of authorized kernel modules/extensions and alerting on unauthorized or unknown kernel components.
- File integrity monitoring (FIM) solutions to detect unauthorized changes in kernel module directories.
Behavioral Analysis and Endpoint Detection and Response (EDR) Tools:
- Advanced endpoint security solutions can detect suspicious kernel-level activities, such as hooking system calls or unauthorized driver loading.
- Behavioral analytics can identify anomalies in kernel-level operations indicative of rootkit activities.
Indicators of Compromise (IoCs):
- Unrecognized kernel modules/extensions loaded from unusual directories or with unusual names.
- Suspicious system crashes or instability potentially caused by poorly written malicious kernel code.
- Unexpected kernel module load/unload events logged in system audit data.
- Presence of unsigned or improperly signed kernel modules/extensions.

Why it is Important to Detect This Technique

Early detection of malicious kernel modules or extensions is critical due to their severe potential impacts, including:

System Compromise and Privilege Escalation:
- Attackers gain complete control of the affected system, allowing extensive manipulation and exploitation.
Stealth and Persistence:
- Kernel-level malware can evade traditional antivirus and endpoint security solutions, remaining undetected for extended periods.
- Persistent kernel-level threats can survive reboots, system updates, and standard remediation efforts.
Data Theft and Exfiltration:
- Attackers can intercept sensitive data at the kernel level, bypassing encryption and security controls.
System Instability and Reliability Issues:
- Poorly written malicious kernel modules/extensions can cause system crashes, instability, and performance degradation.
Difficulty in Remediation:
- Detection and removal of kernel-level malware often require specialized skills and tools, making remediation costly and challenging.

Examples

Real-world examples demonstrating the use of malicious kernel modules and extensions include:

Turla Rootkit (Linux):
- Turla APT group deployed kernel-level rootkits to maintain persistent access and evade detection in Linux environments.
- Rootkit intercepted system calls, hiding malicious processes and network connections, and allowing covert remote access.
Equation Group's EQUATIONDRUG and GRAYFISH (Windows):
- Advanced kernel-mode rootkits used by the Equation Group to maintain persistence, evade detection, and exfiltrate sensitive data.
- GRAYFISH operated entirely in kernel mode, intercepting disk operations to hide malicious files and registry entries.
Slingshot APT (Windows):
- Sophisticated kernel-mode malware discovered by Kaspersky Labs, leveraging malicious drivers to gain kernel-level access and persistently infect systems.
- The malware intercepted network traffic, harvested sensitive information, and evaded endpoint detection.
OSX/Crisis (macOS):
- macOS malware leveraging kernel extensions to achieve persistence and intercept communications.
- Crisis malware installed malicious kernel extensions to monitor user activities, capture keystrokes, and exfiltrate data covertly.

These examples illustrate the significant threat kernel-level malware poses to organizations, emphasizing the importance of proactive monitoring, detection, and response capabilities.

Last updated 1 month ago

Introduction

Deep Dive Into Technique

Technical details include:

Loading Malicious Modules/Extensions:

Linux: Attackers use commands like insmod, modprobe, or manipulate /etc/modules or /etc/modprobe.d/ files.
Windows: Malicious kernel-mode drivers loaded through tools like sc.exe, direct registry edits, or exploitation of driver signing vulnerabilities.
macOS: Attackers may leverage kernel extensions (kexts) placed within /Library/Extensions/ or /System/Library/Extensions/.

Persistence and Privilege Escalation:

Malicious kernel modules/extensions load at boot, ensuring persistent access.
Kernel-level access enables attackers to escalate privileges, intercept system calls, hide processes, and manipulate network traffic.

Stealth and Anti-Detection Mechanisms:

Rootkits often reside in kernel space to evade detection from antivirus and endpoint protection tools.
Attackers may obfuscate malicious modules/extensions by naming them similarly to legitimate system components or signing them with compromised certificates.

When this Technique is Usually Used

Attackers typically utilize kernel modules and extensions during various stages of an intrusion, including:

Persistence Stage:

Ensuring continuous access even after system reboots or security measures.
Creating backdoors that are difficult to detect and remove.

Privilege Escalation Stage:

Gaining higher-level privileges (root or SYSTEM) to perform advanced malicious activities.

Defense Evasion Stage:

Hiding malicious activities from security monitoring tools.
Intercepting and manipulating system calls to conceal malicious processes, files, and network connections.

Advanced Persistent Threat (APT) Campaigns:

Nation-state or sophisticated cybercriminal groups frequently employ kernel-level techniques for covert, long-term operations.

How this Technique is Usually Detected

Detection of malicious kernel modules or extensions requires specialized security monitoring and analysis techniques, including:

Kernel Module Monitoring:

Regularly auditing loaded modules/extensions using tools like lsmod (Linux), driverquery (Windows), or kextstat (macOS).
Monitoring kernel module loading/unloading events via system logs and audit frameworks (e.g., Linux AuditD, Windows Event Logs).

Integrity Checking and Whitelisting:

Maintaining whitelists of authorized kernel modules/extensions and alerting on unauthorized or unknown kernel components.
File integrity monitoring (FIM) solutions to detect unauthorized changes in kernel module directories.

Behavioral Analysis and Endpoint Detection and Response (EDR) Tools:

Advanced endpoint security solutions can detect suspicious kernel-level activities, such as hooking system calls or unauthorized driver loading.
Behavioral analytics can identify anomalies in kernel-level operations indicative of rootkit activities.

Indicators of Compromise (IoCs):

Unrecognized kernel modules/extensions loaded from unusual directories or with unusual names.
Suspicious system crashes or instability potentially caused by poorly written malicious kernel code.
Unexpected kernel module load/unload events logged in system audit data.
Presence of unsigned or improperly signed kernel modules/extensions.

Why it is Important to Detect This Technique

Early detection of malicious kernel modules or extensions is critical due to their severe potential impacts, including:

System Compromise and Privilege Escalation:

Attackers gain complete control of the affected system, allowing extensive manipulation and exploitation.

Stealth and Persistence:

Kernel-level malware can evade traditional antivirus and endpoint security solutions, remaining undetected for extended periods.
Persistent kernel-level threats can survive reboots, system updates, and standard remediation efforts.

Data Theft and Exfiltration:

Attackers can intercept sensitive data at the kernel level, bypassing encryption and security controls.

System Instability and Reliability Issues:

Poorly written malicious kernel modules/extensions can cause system crashes, instability, and performance degradation.

Difficulty in Remediation:

Detection and removal of kernel-level malware often require specialized skills and tools, making remediation costly and challenging.

Examples

Real-world examples demonstrating the use of malicious kernel modules and extensions include:

Turla Rootkit (Linux):

Turla APT group deployed kernel-level rootkits to maintain persistent access and evade detection in Linux environments.
Rootkit intercepted system calls, hiding malicious processes and network connections, and allowing covert remote access.

Equation Group's EQUATIONDRUG and GRAYFISH (Windows):

Advanced kernel-mode rootkits used by the Equation Group to maintain persistence, evade detection, and exfiltrate sensitive data.
GRAYFISH operated entirely in kernel mode, intercepting disk operations to hide malicious files and registry entries.

Slingshot APT (Windows):

Sophisticated kernel-mode malware discovered by Kaspersky Labs, leveraging malicious drivers to gain kernel-level access and persistently infect systems.
The malware intercepted network traffic, harvested sensitive information, and evaded endpoint detection.

OSX/Crisis (macOS):

macOS malware leveraging kernel extensions to achieve persistence and intercept communications.
Crisis malware installed malicious kernel extensions to monitor user activities, capture keystrokes, and exfiltrate data covertly.

These examples illustrate the significant threat kernel-level malware poses to organizations, emphasizing the importance of proactive monitoring, detection, and response capabilities.