MITRE ATT&CK Technique
Description
Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system. (Citation: Linux Kernel Programming) When used maliciously, Loadable Kernel Modules (LKMs) can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0). (Citation: Linux Kernel Module Programming Guide) Adversaries can use loadable kernel modules to covertly persist on a system and evade defenses. Examples have been found in the wild and there are some open source projects. (Citation: Volatility Phalanx2) (Citation: CrowdStrike Linux Rootkit) (Citation: GitHub Reptile) (Citation: GitHub Diamorphine) Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors and enabling root access to non-privileged users. (Citation: iDefense Rootkit Overview) Kernel extensions, also called kext, are used for macOS to load functionality onto a system similar to LKMs for Linux. They are loaded and unloaded through <code>kextload</code> and <code>kextunload</code> commands. Several examples have been found where this can be used. (Citation: RSAC 2015 San Francisco Patrick Wardle) (Citation: Synack Secure Kernel Extension Broken) Examples have been found in the wild. (Citation: Securelist Ventir)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2018-04-18T17:59:24.739Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Loadable Kernel Modules (or LKMs) are pieces of code that can '
'be loaded and unloaded into the kernel upon demand. They '
'extend the functionality of the kernel without the need to '
'reboot the system. For example, one type of module is the '
'device driver, which allows the kernel to access hardware '
'connected to the system. (Citation: Linux Kernel '
'Programming)\xa0When used maliciously, Loadable Kernel '
'Modules (LKMs) can be a type of kernel-mode '
'[Rootkit](https://attack.mitre.org/techniques/T1014) that run '
'with the highest operating system privilege (Ring 0). '
'(Citation: Linux Kernel Module Programming Guide)\xa0'
'Adversaries can use loadable kernel modules to covertly '
'persist on a system and evade defenses. Examples have been '
'found in the wild and there are some open source projects. '
'(Citation: Volatility Phalanx2) (Citation: CrowdStrike Linux '
'Rootkit) (Citation: GitHub Reptile) (Citation: GitHub '
'Diamorphine)\n'
'\n'
'Common features of LKM based rootkits include: hiding itself, '
'selective hiding of files, processes and network activity, as '
'well as log tampering, providing authenticated backdoors and '
'enabling root access to non-privileged users. (Citation: '
'iDefense Rootkit Overview)\n'
'\n'
'Kernel extensions, also called kext, are used for macOS to '
'load functionality onto a system similar to LKMs for Linux. '
'They are loaded and unloaded through <code>kextload</code> '
'and <code>kextunload</code> commands. Several examples have '
'been found where this can be used. (Citation: RSAC 2015 San '
'Francisco Patrick Wardle) (Citation: Synack Secure Kernel '
'Extension Broken) Examples have been found in the wild. '
'(Citation: Securelist Ventir)',
'external_references': [{'external_id': 'T1215',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1215'},
{'description': 'Pomerantz, O., Salzman, P.. (2003, '
'April 4). The Linux Kernel Module '
'Programming Guide. Retrieved April '
'6, 2018.',
'source_name': 'Linux Kernel Programming',
'url': 'https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf'},
{'description': 'Pomerantz, O., Salzman, P. (2003, '
'April 4). Modules vs Programs. '
'Retrieved April 6, 2018.',
'source_name': 'Linux Kernel Module Programming '
'Guide',
'url': 'http://www.tldp.org/LDP/lkmpg/2.4/html/x437.html'},
{'description': 'Case, A. (2012, October 10). Phalanx '
'2 Revealed: Using Volatility to '
'Analyze an Advanced Linux Rootkit. '
'Retrieved April 9, 2018.',
'source_name': 'Volatility Phalanx2',
'url': 'https://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volatility-to.html'},
{'description': 'Kurtz, G. (2012, November 19). HTTP '
'iframe Injecting Linux Rootkit. '
'Retrieved December 21, 2017.',
'source_name': 'CrowdStrike Linux Rootkit',
'url': 'https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/'},
{'description': 'Augusto, I. (2018, March 8). Reptile '
'- LMK Linux rootkit. Retrieved April '
'9, 2018.',
'source_name': 'GitHub Reptile',
'url': 'https://github.com/f0rb1dd3n/Reptile'},
{'description': 'Mello, V. (2018, March 8). '
'Diamorphine - LMK rootkit for Linux '
'Kernels 2.6.x/3.x/4.x (x86 and '
'x86_64). Retrieved April 9, 2018.',
'source_name': 'GitHub Diamorphine',
'url': 'https://github.com/m0nad/Diamorphine'},
{'description': 'Chuvakin, A. (2003, February). An '
'Overview of Rootkits. Retrieved '
'April 6, 2018.',
'source_name': 'iDefense Rootkit Overview',
'url': 'http://www.megasecurity.org/papers/Rootkits.pdf'},
{'description': 'Wardle, P. (2015, April). Malware '
'Persistence on OS X Yosemite. '
'Retrieved April 6, 2018.',
'source_name': 'RSAC 2015 San Francisco Patrick '
'Wardle',
'url': 'https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf'},
{'description': 'Wardle, P. (2017, September 8). High '
'Sierra’s ‘Secure Kernel Extension '
'Loading’ is Broken. Retrieved April '
'6, 2018.',
'source_name': 'Synack Secure Kernel Extension '
'Broken',
'url': 'https://www.synack.com/2017/09/08/high-sierras-secure-kernel-extension-loading-is-broken/'},
{'description': 'Mikhail, K. (2014, October 16). The '
'Ventir Trojan: assemble your MacOS '
'spy. Retrieved April 6, 2018.',
'source_name': 'Securelist Ventir',
'url': 'https://securelist.com/the-ventir-trojan-assemble-your-macos-spy/67267/'},
{'description': 'Wikipedia. (2018, March 17). '
'Loadable kernel module. Retrieved '
'April 9, 2018.',
'source_name': 'Wikipedia Loadable Kernel Module',
'url': 'https://en.wikipedia.org/wiki/Loadable_kernel_module#Linux'},
{'description': 'Henderson, B. (2006, September 24). '
'How To Insert And Remove LKMs. '
'Retrieved April 9, 2018.',
'source_name': 'Linux Loadable Kernel Module Insert '
'and Remove LKMs',
'url': 'http://tldp.org/HOWTO/Module-HOWTO/x197.html'}],
'id': 'attack-pattern--6be14413-578e-46c1-8304-310762b3ecd5',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'persistence'}],
'modified': '2025-10-24T17:48:55.181Z',
'name': 'Kernel Modules and Extensions',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': True,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Jeremy Galloway', 'Red Canary'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Linux', 'macOS'],
'x_mitre_version': '1.1'}