Kernel Extensions

Overview

Evidence: Kernel Extensions Description: Filter kernel extension events Category: System Platform: macos Short Name: kxt Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

Kernel extensions (kexts) are loadable kernel modules that extend macOS kernel functionality. The kextd daemon manages loading, unloading, and validation of kernel extensions. IOKit events capture hardware driver interactions and kernel-level system modifications.

Data Collected

This collector gathers structured data about kernel extensions.

Collection Method

This collector uses the macOS 'log' command with predicate-based filtering to extract kextd process events from IOKit over the last 3 days. Log entries are parsed from JSON format and stored in the unified_logs table with PredicateType='Kernel Extensions'.

Forensic Value

Kernel extension logs are essential for investigating rootkits, kernel-level malware, unauthorized drivers, and system-level compromise. They reveal what kernel modules were loaded, which can indicate advanced persistent threats, bootkit infections, or malicious driver installations used for defense evasion.