Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.(Citation: Linux Kernel Programming)When used maliciously, LKMs can be a type of kernel-mode Rootkit that run with the highest operating system privilege (Ring 0).(Citation: Linux Kernel Module Programming Guide) Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors, and enabling root access to non-privileged users.(Citation: iDefense Rootkit Overview)
Kernel extensions, also called kext, are used in macOS to load functionality onto a system similar to LKMs for Linux. Since the kernel is responsible for enforcing security and the kernel extensions run as apart of the kernel, kexts are not governed by macOS security policies. Kexts are loaded and unloaded through
kextload
andkextunload
commands. Kexts need to be signed with a developer ID that is granted privileges by Apple allowing it to sign Kernel extensions. Developers without these privileges may still sign kexts but they will not load unless SIP is disabled. If SIP is enabled, the kext signature is verified before being added to the AuxKC.(Citation: System and kernel extensions in macOS)Since macOS Catalina 10.15, kernel extensions have been deprecated in favor of System Extensions. However, kexts are still allowed as "Legacy System Extensions" since there is no System Extension for Kernel Programming Interfaces.(Citation: Apple Kernel Extension Deprecation)
Adversaries can use LKMs and kexts to conduct Persistence and/or Privilege Escalation on a system. Examples have been found in the wild, and there are some relevant open source projects as well.(Citation: Volatility Phalanx2)(Citation: CrowdStrike Linux Rootkit)(Citation: GitHub Reptile)(Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle)(Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir)(Citation: Trend Micro Skidmap)
-
Atomic Test #2 - MacOS - Load Kernel Module via kextload and kmutil
-
Atomic Test #3 - MacOS - Load Kernel Module via KextManagerLoadKextWithURL()
This test uses the insmod command to load a kernel module for Linux.
Supported Platforms: Linux
auto_generated_guid: 687dcb93-9656-4853-9c36-9977315e9d23
Name | Description | Type | Default Value |
---|---|---|---|
module_name | Name of the kernel module name. | string | T1547006 |
module_path | Folder used to store the module. | path | /tmp/T1547.006/T1547006.ko |
temp_folder | Temp folder used to compile the code. | path | /tmp/T1547.006 |
module_source_path | Path to download Gsecdump binary file | path | PathToAtomicsFolder/T1547.006/src |
sudo insmod #{module_path}
sudo rmmod #{module_name}
[ -f #{temp_folder}/safe_to_delete ] && rm -rf #{temp_folder}
if [ -f #{module_path} ]; then exit 0; else exit 1; fi;
if [ ! -d #{temp_folder} ]; then mkdir #{temp_folder}; touch #{temp_folder}/safe_to_delete; fi;
cp #{module_source_path}/* #{temp_folder}/
cd #{temp_folder}; make
if [ ! -f #{module_path} ]; then mv #{temp_folder}/#{module_name}.ko #{module_path}; fi;
This test uses the kextload and kmutil commands to load and unload a MacOS kernel module.
Supported Platforms: macOS
auto_generated_guid: f4391089-d3a5-4dd1-ab22-0419527f2672
Name | Description | Type | Default Value |
---|---|---|---|
module_path | Folder used to store the module. | path | /Library/Extensions/SoftRAID.kext |
set -x
sudo kextload #{module_path}
kextstat 2>/dev/null | grep SoftRAID
sudo kextunload #{module_path}
sudo kmutil load -p #{module_path}
kextstat 2>/dev/null | grep SoftRAID
sudo kmutil unload -p #{module_path}
if [ -d #{module_path} ] ; then exit 0; else exit 1 ; fi
exit 1
This test uses the IOKit API to load a kernel module for macOS. Harcoded to use SoftRAID kext
Supported Platforms: macOS
auto_generated_guid: f0007753-beb3-41ea-9948-760785e4c1e5
Name | Description | Type | Default Value |
---|---|---|---|
src_path | Folder used to store the module. | path | PathToAtomicsFolder/T1547.006/src/macos_kextload.c |
exe_path | Folder used to store the module. | path | /tmp/T1547006_iokit_loader |
sudo #{exe_path}
kextstat 2>/dev/null | grep SoftRAID
sudo kextunload /Library/Extensions/SoftRAID.kext
rm -f #{exe_path}
if [ -f "#{exe_path}" ]; then exit 0 ; else exit 1; fi
cc -o #{exe_path} #{src_path} -framework IOKit -framework Foundation
The following Atomic Test will write an file, comadmin.dat, to disk. From the report, Snake's installer drops the kernel driver and a custom DLL which is used to load the driver into a single AES encrypted file on disk. Typically, this file is named “comadmin.dat” and is stored in the %windows%\system32\Com directory. This Atomic Test will write a hardcoded named file to disk in the com directory named comadmin.dat. Snake Malware - CISA
Supported Platforms: Windows
auto_generated_guid: e5cb5564-cc7b-4050-86e8-f2d9eec1941f
$examplePath = Join-Path $env:windir "system32\Com"; if (-not (Test-Path $examplePath)) { New-Item -ItemType Directory -Path $examplePath | Out-Null }; $exampleName = "comadmin.dat"; $exampleFullPath = Join-Path $examplePath $exampleName; $randomBytes = New-Object Byte[] 0x1000; (New-Object Random).NextBytes($randomBytes); [System.IO.File]::WriteAllBytes($exampleFullPath, $randomBytes)
$examplePath = Join-Path $env:windir "system32\Com"; $exampleName = "comadmin.dat"; $exampleFullPath = Join-Path $examplePath $exampleName; if (Test-Path $exampleFullPath) { Remove-Item $exampleFullPath -Force }