For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/default_rules/def-000-axr.md. A documentation index is available at /llms.txt.

Kernel module loaded

Classification:

attack

Tactic:

TA0004-privilege-escalation

Technique:

T1547-boot-or-logon-autostart-execution

Goal

Detect when a Linux kernel module is loaded. Attackers load kernel modules (rootkits) to hide processes, files, or network connections, and to maintain privileged access to a compromised host.

Strategy

This rule monitors for Module Activity Load events (ocsf.class_uid:1005 @ocsf.activity_name:Load). On auditd this corresponds to finit_module. A single occurrence is sufficient to trigger an alert since this operation is uncommon in production environments.

Triage and response

  1. Identify the module being loaded by reviewing logs surrounding the event on host {{host}} — look for the filename passed to the loader.
  2. Verify whether the module load was expected (e.g., a scheduled kernel update, driver installation).
  3. If unexpected, examine the module file for signs of tampering or malicious code.
  4. Check for rootkit indicators: hidden processes, unexpected network connections, or modifications to /proc and /sys.
  5. If confirmed malicious, isolate the host and begin incident response procedures.