| Item |
Value |
| ID |
DET0377 |
| Version |
1.0 |
| Created |
21 October 2025 |
| Last Modified |
21 October 2025 |
Technique Detected: T1014 (Rootkit)
Analytics
Windows
AN1061
Unauthorized or anomalous loading of kernel-mode drivers or DLLs, concealed services, or abnormal modification of boot components indicative of rootkit activity.
Log Sources
Mutable Elements
| Field |
Description |
| DriverSignatureStatus |
Signed vs unsigned drivers; many environments restrict unsigned drivers, but some legacy systems allow them. |
| TargetDirectory |
Suspicious driver or DLL drop locations, e.g., \System32\Drivers\ or \Temp\ |
| UserContext |
Rootkit installation via admin or SYSTEM account. |
Linux
AN1062
Abnormal loading of kernel modules, direct tampering with /dev, /proc, or LD_PRELOAD behaviors hiding processes or files.
Log Sources
Mutable Elements
| Field |
Description |
| MonitoredDirectories |
Directories where kernel modules or tampering could be staged (e.g., /lib/modules/). |
| ModuleNamePattern |
Regex or heuristic match to anomalous module names (e.g., suspicious entropy or gibberish). |
| LD_PRELOAD |
Monitor presence of suspicious preload values that mask processes or files. |
macOS
AN1063
Execution of unsigned kernel extensions (KEXTs), tampering with LaunchDaemons, or userspace hooks into system libraries.
Log Sources
Mutable Elements
| Field |
Description |
| KextSignatureStatus |
Allowable level of unsigned/3rd-party kernel extensions varies by organization. |
| KextLoadOrigin |
Detect whether the extension was loaded by an untrusted process or non-root user. |
| AnomalousLaunchAgent |
Detection tuned based on deviation from known/approved LaunchDaemon plist files. |