Kernel modules can be used to automatically execute code when a host starts up. Attackers sometimes use kernel modules to gain persistence on a particular host, ensuring that their code is executed even after a system reboot. Kernel modules also can help attackers gain elevated permissions on a system.
Kernel modules are loaded from the
/lib/modules directory in Linux. This detection watches for all new files created under that directory.