Kernel Extensions
Overview
Section titled “Overview”Evidence: Kernel Extensions
Description: Filter kernel extension events
Category: System
Platform: macos
Short Name: kxt
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”Kernel extensions (kexts) are loadable kernel modules that extend macOS kernel functionality. The kextd daemon manages loading, unloading, and validation of kernel extensions. IOKit events capture hardware driver interactions and kernel-level system modifications.
Data Collected
Section titled “Data Collected”This collector gathers structured data about kernel extensions.
Collection Method
Section titled “Collection Method”This collector uses the macOS ‘log’ command with predicate-based filtering to extract kextd process events from IOKit over the last 3 days. Log entries are parsed from JSON format and stored in the unified_logs table with PredicateType=‘Kernel Extensions’.
Forensic Value
Section titled “Forensic Value”Kernel extension logs are essential for investigating rootkits, kernel-level malware, unauthorized drivers, and system-level compromise. They reveal what kernel modules were loaded, which can indicate advanced persistent threats, bootkit infections, or malicious driver installations used for defense evasion.