T1547.006 - Boot or Logon Autostart Execution: Kernel Modules and Extensions

Description from ATT&CK

Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system.(Citation: Linux Kernel Programming)  When used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0).(Citation: Linux Kernel Module Programming Guide) Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors, and enabling root access to non-privileged users.(Citation: iDefense Rootkit Overview) Kernel extensions, also called kext, are used in macOS to load functionality onto a system similar to LKMs for Linux. Since the kernel is responsible for enforcing security and the kernel extensions run as apart of the kernel, kexts are not governed by macOS security policies. Kexts are loaded and unloaded through kextload and kextunload commands. Kexts need to be signed with a developer ID that is granted privileges by Apple allowing it to sign Kernel extensions. Developers without these privileges may still sign kexts but they will not load unless SIP is disabled. If SIP is enabled, the kext signature is verified before being added to the AuxKC.(Citation: System and kernel extensions in macOS) Since macOS Catalina 10.15, kernel extensions have been deprecated in favor of System Extensions. However, kexts are still allowed as "Legacy System Extensions" since there is no System Extension for Kernel Programming Interfaces.(Citation: Apple Kernel Extension Deprecation) Adversaries can use LKMs and kexts to conduct [Persistence](https://attack.mitre.org/tactics/TA0003) and/or [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) on a system. Examples have been found in the wild, and there are some relevant open source projects as well.(Citation: Volatility Phalanx2)(Citation: CrowdStrike Linux Rootkit)(Citation: GitHub Reptile)(Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle)(Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir)(Citation: Trend Micro Skidmap)

Atomic Tests


Atomic Test #1 - Linux - Load Kernel Module via insmod

This test uses the insmod command to load a kernel module for Linux.

Supported Platforms: Linux

auto_generated_guid: 687dcb93-9656-4853-9c36-9977315e9d23

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | module_name | Name of the kernel module name. | string | T1547006| | module_path | Folder used to store the module. | path | /tmp/T1547.006/T1547006.ko| | temp_folder | Temp folder used to compile the code. | path | /tmp/T1547.006| | module_source_path | Path to download Gsecdump binary file | path | PathToAtomicsFolder/T1547.006/src|

Attack Commands: Run with
1
bash
! Elevation Required (e.g. root or admin)

1
sudo insmod #{module_path}

Cleanup Commands:

1
2
sudo rmmod #{module_name}
[ -f #{temp_folder}/safe_to_delete ] && rm -rf #{temp_folder}

Dependencies: Run with
1
bash
!

Description: The kernel module must exist on disk at specified location
Check Prereq Commands:
1
if [ -f #{module_path} ]; then exit 0; else exit 1; fi;
Get Prereq Commands:
1
2
3
4
if [ ! -d #{temp_folder} ]; then mkdir #{temp_folder}; touch #{temp_folder}/safe_to_delete; fi;
cp #{module_source_path}/* #{temp_folder}/
cd #{temp_folder}; make
if [ ! -f #{module_path} ]; then mv #{temp_folder}/#{module_name}.ko #{module_path}; fi;



Atomic Test #2 - MacOS - Load Kernel Module via kextload and kmutil

This test uses the kextload and kmutil commands to load and unload a MacOS kernel module.

Supported Platforms: macOS

auto_generated_guid: f4391089-d3a5-4dd1-ab22-0419527f2672

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | module_path | Folder used to store the module. | path | /Library/Extensions/SoftRAID.kext|

Attack Commands: Run with
1
bash
! Elevation Required (e.g. root or admin)

1
2
3
4
5
6
7
set -x
sudo kextload #{module_path}
kextstat 2>/dev/null | grep SoftRAID
sudo kextunload #{module_path}
sudo kmutil load -p #{module_path}
kextstat 2>/dev/null | grep SoftRAID
sudo kmutil unload -p #{module_path}

Dependencies: Run with
1
bash
!

Description: The kernel module must exist on disk at specified location
Check Prereq Commands:
1
if [ -d #{module_path} ] ; then exit 0; else exit 1 ; fi
Get Prereq Commands:
1
exit 1



Atomic Test #3 - MacOS - Load Kernel Module via KextManagerLoadKextWithURL()

This test uses the IOKit API to load a kernel module for macOS. Harcoded to use SoftRAID kext

Supported Platforms: macOS

auto_generated_guid: f0007753-beb3-41ea-9948-760785e4c1e5

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | src_path | Folder used to store the module. | path | PathToAtomicsFolder/T1547.006/src/macos_kextload.c| | exe_path | Folder used to store the module. | path | /tmp/T1547006_iokit_loader|

Attack Commands: Run with
1
bash
! Elevation Required (e.g. root or admin)

1
2
3
sudo #{exe_path}
kextstat 2>/dev/null | grep SoftRAID
sudo kextunload /Library/Extensions/SoftRAID.kext

Cleanup Commands:

1
rm -f #{exe_path}

Dependencies: Run with
1
bash
!

Description: The kernel module must exist on disk at specified location
Check Prereq Commands:
1
if [ -f "#{exe_path}" ]; then exit 0 ; else exit 1; fi
Get Prereq Commands:
1
cc -o #{exe_path} #{src_path} -framework IOKit -framework Foundation



Atomic Test #4 - Snake Malware Kernel Driver Comadmin

The following Atomic Test will write an file, comadmin.dat, to disk. From the report, Snake’s installer drops the kernel driver and a custom DLL which is used to load the driver into a single AES encrypted file on disk. Typically, this file is named “comadmin.dat” and is stored in the %windows%\system32\Com directory. This Atomic Test will write a hardcoded named file to disk in the com directory named comadmin.dat. Snake Malware - CISA

Supported Platforms: Windows

auto_generated_guid: e5cb5564-cc7b-4050-86e8-f2d9eec1941f

Attack Commands: Run with
1
powershell
! Elevation Required (e.g. root or admin)

1
$examplePath = Join-Path $env:windir "system32\Com"; if (-not (Test-Path $examplePath)) { New-Item -ItemType Directory -Path $examplePath | Out-Null }; $exampleName = "comadmin.dat"; $exampleFullPath = Join-Path $examplePath $exampleName; $randomBytes = New-Object Byte[] 0x1000; (New-Object Random).NextBytes($randomBytes); [System.IO.File]::WriteAllBytes($exampleFullPath, $randomBytes)

Cleanup Commands:

1
$examplePath = Join-Path $env:windir "system32\Com"; $exampleName = "comadmin.dat"; $exampleFullPath = Join-Path $examplePath $exampleName; if (Test-Path $exampleFullPath) { Remove-Item $exampleFullPath -Force }