Detect Linux Kernel Module Load via Built-in Utility
This threat involves adversaries with root privileges using the `insmod` or `modprobe` utilities to load malicious Linux kernel object files (.ko), often rootkits, which provides complete system control and evasion capabilities, making detection of this uncommon activity critical.
Threat actors with root privileges on a Linux system can load malicious kernel object files (rootkits) using the insmod or modprobe utilities. This technique, updated in a detection rule on July 16, 2026, and supported by Elastic Stack version 9.3.0 and newer, allows adversaries to gain complete control over a compromised system and effectively hide their presence from security products. This activity, which is highly unusual in legitimate environments, serves as a significant indicator of compromise for persistence and defense evasion. The primary motivation for attackers employing this method is to establish covert and enduring access, enabling various post-exploitation activities without detection.
Attack Chain
- Adversary gains initial access to a Linux system, likely through a vulnerability exploit, stolen credentials, or social engineering.
- The attacker elevates their privileges to root on the compromised system, a prerequisite for loading kernel modules.
- A malicious Linux kernel object (.ko) file, often a rootkit, is staged onto the system.
- The attacker executes the
insmodormodprobeutility to load the staged malicious kernel module into the operating system. - The loaded kernel module activates, establishing deep system control and mechanisms for hiding its presence.
- The rootkit modifies system behavior or hides malicious processes/files, granting persistent access and evading security products.
- With complete control and stealth, the attacker conducts further malicious activities, such as data exfiltration or deploying additional malware.
Impact
Successful exploitation allows attackers to gain complete control over the compromised Linux system, granting them the ability to evade security products and maintain persistent access. This can lead to severe consequences, including unauthorized data exfiltration, system integrity compromise, the deployment of additional malware, and the use of the compromised host for further attacks. Specific victim counts or targeted sectors are not detailed, but any Linux-based system with root privileges could be susceptible to this technique.
Recommendation
- Deploy the Sigma rule "Detect Linux Kernel Module Load via Built-in Utility" to your SIEM environment to detect suspicious kernel module loading activities.
- Enable
process_creationlogging for your Linux endpoints, specifically ensuring Elastic Defend is configured to collect such events for the rule above. - Investigate the kernel object file ($osquery_1) that was loaded for signs of malicious intent.
- Investigate the script execution chain (parent process tree) ($osquery_2) for unknown processes or unusual binaries leading to module loading.
- Examine network connections, listening ports ($osquery_3), and open sockets ($osquery_4) for abnormal behaviors by the process or user involved in kernel module loading.
- Implement host-based intrusion detection systems (HIDS) or endpoint detection and response (EDR) solutions that can monitor kernel-level activities and command execution.
Detection coverage 1
Detect Linux Kernel Module Load via Built-in Utility
highDetects the use of `insmod`, `modprobe`, or `kmod` to load Linux kernel object files, indicating potential rootkit deployment or malicious activity.
Detection queries are available on the platform. Get full rules →