Kernel Extensions Info

Overview

Evidence: Kernel Extensions Info Description: Collect kernel extensions info Category: System Platform: macos Short Name: kext Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

Kernel extensions (kexts) extend the macOS kernel with drivers and low-level components. This data is essential for detecting rootkits, unauthorized kernel modifications, and risky third‑party drivers.

Data Collected

This collector gathers structured data about kernel extensions info.

Kernel Extensions Info Data

Field

Description

Example

IDx

I Dx

123

Refs

Refs

123

MemorySize

Memory Size

123

Name

Name

Example value

Version

Version

Example value

LinkedAgainst

Linked Against

Example value

Path

Path

Example value

LastChangeTime

Last Change Time

2023-10-15 14:30:25+03:00

AccessTime

Access Time

2023-10-15 14:30:25+03:00

ModificationTime

Modification Time

2023-10-15 14:30:25+03:00

Hash

Hash

Example value

BinaryPath

Binary Path

Example value

SizeInBytes

Size In Bytes

123

Collection Method

This collector queries the kernel_extensions table via osquery and enriches results with file metadata and hashes.

Forensic Value

This evidence is crucial for forensic investigations as it surfaces loaded kernel extensions, enabling detection of persistence, unsigned drivers, and tampering with the kernel.

PreviousIP Routes NextKernel Extensions

Last updated 3 days ago

Was this helpful?