---
title: Kernel rootkit installation attack
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > Datadog Security > OOTB Rules > Kernel rootkit installation attack
---

# Kernel rootkit installation attack
Classification:attackTactic:[TA0005-defense-evasion](https://attack.mitre.org/tactics/TA0005)Technique:[T1547-boot-or-logon-autostart-execution](https://attack.mitre.org/techniques/T1547) 
## Goal{% #goal %}

Detect kernel rootkit installation by correlating multiple indicators of kernel-level compromise within the same execution context.

## Strategy{% #strategy %}

This correlation rule identifies kernel rootkit activity by detecting specific combinations of the following activity groups:

- **Kernel Module Modification**: File operations on kernel modules, including `chmod`, `chown`, `link`, `open`, `rename`, `unlink`, and `timestamp` modifications within kernel module directories
- **Kernel Module Loading**: Loading of kernel modules from disk or memory, including container-specific module loading operations
- **Development Environment**: Installation of kernel headers, compiler usage in containers, or compilation activity following file delivery, which indicate potential rootkit development and compilation
- **Stealth and Discovery**: Process masquerading via kernel thread naming or `prctl`, and kernel module enumeration using `lsmod` or `kmod`

The rule triggers different severity levels based on the combination of detected activities:

| Case                                       | Severity | Required Components                                                                |
| ------------------------------------------ | -------- | ---------------------------------------------------------------------------------- |
| Advanced Kernel Rootkit                    | Critical | Module Modification + Module Loading + Development Environment + Stealth/Discovery |
| Kernel Module Installation (Interactive)   | High     | Module Modification + Module Loading (interactive session)                         |
| Rootkit Development Activity (Interactive) | High     | Development Environment + Module Loading (interactive session)                     |
| Kernel Module Installation                 | Medium   | Module Modification + Module Loading                                               |
| Rootkit Development Activity               | Medium   | Development Environment + Module Loading                                           |
| Kernel Reconnaissance                      | Medium   | Stealth/Discovery + Module Modification                                            |

## Triage & Response{% #triage--response %}

1. **Isolate immediately**: Isolate the affected host. To preserve memory evidence, **DO NOT REBOOT** .

1. **Examine kernel modules**: Review currently loaded modules with `lsmod` and compare against baseline to identify unauthorized modules.

1. **Investigate modified files**: Analyze kernel module files that were modified in `/lib/modules/` or similar paths.

1. **Check development activity**: Review compilation activity, kernel header installations, and build artifacts that may indicate rootkit compilation.

1. **Analyze stealth techniques**: Investigate process masquerading and kernel-level hiding mechanisms including processes mimicking kernel thread names.

1. **Perform memory forensics**: Capture memory dumps and analyze for rootkit artifacts before any remediation.

1. **Check for persistence**: Review boot configurations, initramfs, and module loading configurations for persistence mechanisms.

1. **Boot from external media**: Use clean boot environment for forensic analysis and rootkit detection tools.

1. **Rebuild system**: Restore from known-good images with kernel module signing and secure boot enabled.