Esc

Kernel Modules and Extensions - T1547.006

(ATT&CK® Technique)

Definition

Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.

D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.

        graph LR;

     T1547006["Kernel Modules and Extensions"] --> |modifies| KernelModule["Kernel Module"]; class T1547006 OffensiveTechniqueNode;
        class KernelModule ArtifactNode; click KernelModule href "/dao/artifact/d3f:KernelModule";
        click T1547006 href "/offensive-technique/attack/T1547.006/"; click KernelModule href "/dao/artifact/d3f:KernelModule";             FileEncryption["File Encryption"] -->
          | encrypts | KernelModule["Kernel Module"];

          FileEncryption["File Encryption"] -.->
            | may-harden | T1547006["Kernel Modules and Extensions"] ;
          class FileEncryption DefensiveTechniqueNode;
          class KernelModule ArtifactNode;
          click FileEncryption href "/technique/d3f:FileEncryption"; ContentModification["Content Modification"] -->
          | modifies | KernelModule["Kernel Module"];

          ContentModification["Content Modification"] -.->
            | may-isolate | T1547006["Kernel Modules and Extensions"] ;
          class ContentModification DefensiveTechniqueNode;
          class KernelModule ArtifactNode;
          click ContentModification href "/technique/d3f:ContentModification"; ContentQuarantine["Content Quarantine"] -->
          | quarantines | KernelModule["Kernel Module"];

          ContentQuarantine["Content Quarantine"] -.->
            | may-isolate | T1547006["Kernel Modules and Extensions"] ;
          class ContentQuarantine DefensiveTechniqueNode;
          class KernelModule ArtifactNode;
          click ContentQuarantine href "/technique/d3f:ContentQuarantine";                                        RestoreFile["Restore File"] -->
          | restores | KernelModule["Kernel Module"];

          RestoreFile["Restore File"] -.->
            | may-restore | T1547006["Kernel Modules and Extensions"] ;
          class RestoreFile DefensiveTechniqueNode;
          class KernelModule ArtifactNode;
          click RestoreFile href "/technique/d3f:RestoreFile"; FileAnalysis["File Analysis"] -->
          | analyzes | KernelModule["Kernel Module"];

          FileAnalysis["File Analysis"] -.->
            | may-detect | T1547006["Kernel Modules and Extensions"] ;
          class FileAnalysis DefensiveTechniqueNode;
          class KernelModule ArtifactNode;
          click FileAnalysis href "/technique/d3f:FileAnalysis";                           DecoyFile["Decoy File"] -->
          | spoofs | KernelModule["Kernel Module"];

          DecoyFile["Decoy File"] -.->
            | may-deceive | T1547006["Kernel Modules and Extensions"] ;
          class DecoyFile DefensiveTechniqueNode;
          class KernelModule ArtifactNode;
          click DecoyFile href "/technique/d3f:DecoyFile"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
          | analyzes | KernelModule["Kernel Module"];

          FileIntegrityMonitoring["File Integrity Monitoring"] -.->
            | may-detect | T1547006["Kernel Modules and Extensions"] ;
          class FileIntegrityMonitoring DefensiveTechniqueNode;
          class KernelModule ArtifactNode;
          click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring";                           FileEviction["File Eviction"] -->
          | deletes | KernelModule["Kernel Module"];

          FileEviction["File Eviction"] -.->
            | may-evict | T1547006["Kernel Modules and Extensions"] ;
          class FileEviction DefensiveTechniqueNode;
          class KernelModule ArtifactNode;
          click FileEviction href "/technique/d3f:FileEviction";              ContentFiltering["Content Filtering"] -->
          | filters | KernelModule["Kernel Module"];

          ContentFiltering["Content Filtering"] -.->
            | may-isolate | T1547006["Kernel Modules and Extensions"] ;
          class ContentFiltering DefensiveTechniqueNode;
          class KernelModule ArtifactNode;
          click ContentFiltering href "/technique/d3f:ContentFiltering";              LocalFilePermissions["Local File Permissions"] -->
          | restricts | KernelModule["Kernel Module"];

          LocalFilePermissions["Local File Permissions"] -.->
            | may-isolate | T1547006["Kernel Modules and Extensions"] ;
          class LocalFilePermissions DefensiveTechniqueNode;
          class KernelModule ArtifactNode;
          click LocalFilePermissions href "/technique/d3f:LocalFilePermissions";              RemoteFileAccessMediation["Remote File Access Mediation"] -->
          | isolates | KernelModule["Kernel Module"];

          RemoteFileAccessMediation["Remote File Access Mediation"] -.->
            | may-isolate | T1547006["Kernel Modules and Extensions"] ;
          class RemoteFileAccessMediation DefensiveTechniqueNode;
          class KernelModule ArtifactNode;
          click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation";

json