Kernel Extensions Info
Overview
Section titled “Overview”Evidence: Kernel Extensions Info
Description: Collect kernel extensions info
Category: System
Platform: macos
Short Name: kext
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”Kernel extensions (kexts) extend the macOS kernel with drivers and low-level components. This data is essential for detecting rootkits, unauthorized kernel modifications, and risky third‑party drivers.
Data Collected
Section titled “Data Collected”This collector gathers structured data about kernel extensions info.
Kernel Extensions Info Data
Section titled “Kernel Extensions Info Data”| Field | Description | Example |
|---|---|---|
IDx | I Dx | 123 |
Refs | Refs | 123 |
MemorySize | Memory Size | 123 |
Name | Name | Example value |
Version | Version | Example value |
LinkedAgainst | Linked Against | Example value |
Path | Path | Example value |
LastChangeTime | Last Change Time | 2023-10-15 14:30:25+03:00 |
AccessTime | Access Time | 2023-10-15 14:30:25+03:00 |
ModificationTime | Modification Time | 2023-10-15 14:30:25+03:00 |
Hash | Hash | Example value |
BinaryPath | Binary Path | Example value |
SizeInBytes | Size In Bytes | 123 |
Collection Method
Section titled “Collection Method”This collector queries the kernel_extensions table via osquery and enriches results with file metadata and hashes.
Forensic Value
Section titled “Forensic Value”This evidence is crucial for forensic investigations as it surfaces loaded kernel extensions, enabling detection of persistence, unsigned drivers, and tampering with the kernel.