---
title: Kernel module loaded
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > Datadog Security > OOTB Rules > Kernel module loaded
---

# Kernel module loaded
Classification:attackTactic:[TA0004-privilege-escalation](https://attack.mitre.org/tactics/TA0004)Technique:[T1547-boot-or-logon-autostart-execution](https://attack.mitre.org/techniques/T1547) 
## Goal{% #goal %}

Detect when a Linux kernel module is loaded. Attackers load kernel modules (rootkits) to hide processes, files, or network connections, and to maintain privileged access to a compromised host.

## Strategy{% #strategy %}

This rule monitors for Module Activity Load events (`ocsf.class_uid:1005 @ocsf.activity_name:Load`). On auditd this corresponds to `finit_module`. A single occurrence is sufficient to trigger an alert since this operation is uncommon in production environments.

## Triage and response{% #triage-and-response %}

1. Identify the module being loaded by reviewing logs surrounding the event on host `{{host}}` — look for the filename passed to the loader.
1. Verify whether the module load was expected (e.g., a scheduled kernel update, driver installation).
1. If unexpected, examine the module file for signs of tampering or malicious code.
1. Check for rootkit indicators: hidden processes, unexpected network connections, or modifications to `/proc` and `/sys`.
1. If confirmed malicious, isolate the host and begin incident response procedures.