anavem.
Critical RiskWindowsLegitimateCommonly Abused
ntoskrnl.exeSYSTEM KERNEL

ntoskrnl.exe - Windows NT Kernel Security Analysis

ntoskrnl.exe is the **Windows NT operating system kernel**, the core of Windows responsible for process management, memory management, and hardware abstraction. It is the **highest-value target** for rootkits and kernel exploits. Kernel-level compromise provides complete system control.

Risk Summary

CRITICAL priority for SOC triage. ntoskrnl.exe is the Windows kernel - any modification, hooking, or exploitation indicates rootkit-level compromise. Modern protections include Kernel Patch Protection (PatchGuard) and Secure Boot.

Overview

What is ntoskrnl.exe?

ntoskrnl.exe is the Windows NT kernel executable.

Core Functions

Operating System Core:

  • Process/thread management
  • Memory management
  • I/O management
  • Security reference monitor

Security Significance

  • Ultimate Target: Complete system control
  • Rootkit Goal: Kernel-level persistence
  • Protected: PatchGuard, Secure Boot
  • Highest Privilege: Ring 0

Normal Behavior

Normal Behavior

Expected Process State

PropertyExpected Value
PathC:\Windows\System32\ntoskrnl.exe
LoadAt boot time
ProtectionPatchGuard protected
SignatureMicrosoft signed

Note: ntoskrnl.exe runs as the kernel, not a process.

Common Locations

C:\Windows\System32\ntoskrnl.exe

Suspicious Indicators

Legitimate vs Suspicious

LEGITIMATE

Path:        C:\Windows\System32\ntoskrnl.exe
Signature:   Valid Microsoft signature
Integrity:   Unmodified

SUSPICIOUS

Path:        Modified or replaced binary
Behavior:    Kernel hooks detected
             PatchGuard triggered
             Unsigned kernel modules

Abuse Techniques

Attack Techniques

Technique #1: Kernel Exploitation (T1068)

Exploiting kernel vulnerabilities for privilege escalation.

Technique #2: Rootkit Installation (T1014)

Kernel-level rootkits hooking ntoskrnl functions.

Technique #3: Driver Loading (T1068)

Loading malicious kernel drivers.

Known Vulnerabilities

  • CVE-2021-1732
  • CVE-2020-1054
  • CVE-2019-0859

Detection Guidance

Detection Strategies

Priority #1: Kernel Integrity

Kernel integrity check failed
→ ALERT: CRITICAL - Possible rootkit

Priority #2: Unsigned Drivers

Driver loaded AND
Signature = Invalid/Missing
→ ALERT: CRITICAL

Priority #3: PatchGuard Triggers

Monitor for BSOD with CRITICAL_STRUCTURE_CORRUPTION.

Remediation Steps

Protection and Remediation

Defense: Secure Boot

Enable Secure Boot to prevent unsigned bootloaders.

Defense: Hypervisor-Protected Code Integrity

Enable HVCI for kernel protection.

If Rootkit Suspected

  1. Boot from clean media
  2. Offline kernel analysis
  3. Full system rebuild recommended
  4. Use specialized rootkit scanners

Investigation Checklist

Investigation Checklist

  • Verify ntoskrnl.exe signature
  • Check for kernel hooks
  • Review loaded drivers
  • Check for BSOD history
  • Verify Secure Boot status
  • Use offline rootkit scanner

MITRE ATT&CK Techniques

T1068T1014

Related Windows Files

EXCEL.EXEhigh

EXCEL.EXE is **Microsoft Excel**, the spreadsheet application and a **primary malware delivery vecto...

Commonly Abused
everything.exelow

Everything is a fast file search utility by Voidtools. Attackers may use it for rapid file discovery...

expressvpn.exemedium

ExpressVPN is a commercial VPN service client. While legitimate for privacy, it can be abused for C2...

hitmanpro.exelow

HitmanPro is a portable anti-malware scanner from Sophos. It uses cloud-based behavioral analysis to...

Last verified: January 18, 2026