Loading Kernel Modules with kextload

Identify activity related to loading kernel modules on MacOS via the kextload command

id:deca3ab9-93f2-4e1e-b782-97863bc26089 categories:hunt confidence:low os:macos created:7/26/2019 updated:7/26/2019

MITRE ATT&CK™ Mapping

tactics:Persistence techniques:T1215 Kernel Modules and Extensions

Query

process where subtype.create and
  process_name == "kextload"

Contributors

• Endgame