Skip to content

Boot or Logon Autostart Execution: Kernel Modules and Extensions

What: Boot or Logon Autostart Execution: Kernel Modules and Extensions

Kernel Modules and Extensions are components that can be loaded into the kernel at runtime to extend its functionality. In Linux, these are typically known as Loadable Kernel Modules (LKM). On macOS, similar extensions are called Kernel Extensions (kexts). These modules can handle low-level tasks like managing hardware devices, filesystems, or network protocols.

How: Mechanism of Action

  1. Linux:

  2. Loading: Kernel modules in Linux can be loaded using the insmod, modprobe, or depmod commands. modprobe is more sophisticated as it handles dependencies.

  3. Configuration: The /etc/modules file can list modules to load at boot time. Additionally, scripts in /etc/modprobe.d/ can contain configuration directives for options.

  4. macOS:

  5. Loading: Kernel extensions are typically loaded with system utilities like kextload. They must be signed by an Apple Developer ID unless System Integrity Protection (SIP) is disabled.
  6. Configuration: The /Library/Extensions/ and /System/Library/Extensions/ directories hold kexts that are loaded at boot time.

Where: Integration Points

  • Linux:

  • /etc/modules: For specifying which kernel modules should load during the boot process.

  • /etc/modprobe.d/: For detailed options and configurations for specific modules.

  • /lib/modules/$(uname -r)/: Directory where modules reside.

  • macOS:

  • /Library/Extensions/: User-installed kernel extensions.
  • /System/Library/Extensions/: System-provided kernel extensions.

Why: Utilization in IT Security (MITRE Context)

Kernel modules and extensions offer deep integration with the operating system's core functionalities, making them potent tools for both legitimate enhancements and malicious exploitation:

  1. Persistence: Malicious code within a kernel module or extension will be executed with high privileges (kernel mode) and can persist through reboots, making detection and removal difficult.

  2. Evasion: Operating at the kernel level allows malware to subvert many forms of monitoring and security scanning which operate at higher abstraction layers.

  3. Control: By loading malicious code as a kernel module or extension, an attacker can gain control over system resources, intercept data directly from hardware devices, manipulate network traffic stealthily, and bypass security mechanisms.

In summary, "Boot or Logon Autostart Execution: Kernel Modules and Extensions" refers to the use of system capabilities to load specific code directly into the kernel space during system startup or user logon processes. This capability is crucial for both system functionality enhancement through legitimate use cases like driver management and potentially harmful activities such as rootkit installation by attackers seeking deep system control without easy detection.