security tools and device drivers may run these programs in order to load legitimate kernel modules. use of these programs by ordinary users is uncommon.

source: <a href=https://github.com/elastic/detection-rules/blob/main/rules/_deprecated/persistence_kernel_module_activity.toml>elastic
technicques: T1547

Techniques

Identifies loadable kernel module errors, which are often indicative of potential persistence attempts.

event.category:process and event.type:(start or process_started) and process.name:(insmod or kmod or modprobe or rmod)