DC0031 Kernel Module Load
| Item | Value |
|---|---|
| ID | DC0031 |
| Version | 2.0 |
| Created | 20 October 2021 |
| Last Modified | 21 October 2025 |
Log Sources
| Name | Channel |
|---|---|
| esxi:vmkernel | VM exit/entry anomalies, unexpected hypercalls, or kernel module loading |
| macos:osquery | New kext entries not signed by Apple or outside standard identifier prefix |
Detection Strategy
| ID | Name | Technique Detected |
|---|---|---|
| DET0219 | Detection Strategy for Escape to Host | T1611 |
| DET0450 | Detection Strategy for Kernel Modules and Extensions Autostart Execution | T1547.006 |