diff --git a/hunting/index.md b/hunting/index.md
index 7b014415d8b..cdba1d0ee5b 100644
--- a/hunting/index.md
+++ b/hunting/index.md
@@ -40,6 +40,7 @@ Here are the queries currently available:
 - [OSQuery SUID Hunting](./linux/docs/privilege_escalation_via_suid_binaries.md) (ES|QL)
 - [Persistence Through Reverse/Bind Shells](./linux/docs/persistence_reverse_bind_shells.md) (ES|QL)
 - [Persistence via Cron](./linux/docs/persistence_via_cron.md) (ES|QL)
+- [Persistence via Loadable Kernel Modules](./linux/docs/persistence_via_loadable_kernel_modules.md) (ES|QL)
 - [Persistence via Message-of-the-Day](./linux/docs/persistence_via_message_of_the_day.md) (ES|QL)
 - [Persistence via Package Manager](./linux/docs/persistence_via_package_manager.md) (ES|QL)
 - [Persistence via SSH Configurations and/or Keys](./linux/docs/persistence_via_ssh_configurations_and_keys.md) (ES|QL)
diff --git a/hunting/index.yml b/hunting/index.yml
index ba1152c6d7e..987a9bdbfff 100644
--- a/hunting/index.yml
+++ b/hunting/index.yml
@@ -220,6 +220,11 @@ linux:
     mitre:
     - T1037.004
     - T1546.003
+  d667d328-fadc-4a52-9b46-f42b1a83181c:
+    name: Persistence via Loadable Kernel Modules
+    path: ./linux/queries/persistence_via_loadable_kernel_modules.toml
+    mitre:
+    - T1547.006
 okta:
   0b936024-71d9-11ef-a9be-f661ea17fbcc:
     name: Failed OAuth Access Token Retrieval via Public Client App
diff --git a/hunting/linux/docs/persistence_via_driver_load_with_low_occurrence_frequency.md b/hunting/linux/docs/persistence_via_driver_load_with_low_occurrence_frequency.md
index bc09a71d8e3..185d1c99c4e 100644
--- a/hunting/linux/docs/persistence_via_driver_load_with_low_occurrence_frequency.md
+++ b/hunting/linux/docs/persistence_via_driver_load_with_low_occurrence_frequency.md
@@ -16,11 +16,13 @@
 
 ```sql
 from logs-auditd_manager.auditd-*, logs-auditd.log-*, auditbeat-*
+| keep @timestamp, host.os.type, event.category, event.action, auditd.data.syscall, auditd.data.name, process.executable, process.name, agent.id
 | where @timestamp > now() - 30 day
 | where host.os.type == "linux" and event.category == "driver" and event.action == "loaded-kernel-module" and auditd.data.syscall in ("init_module", "finit_module")
-| stats host_count = count_distinct(host.id), total_count = count(*) by auditd.data.name, process.executable, process.name
+// Process name is different from executable in some cases
+| stats agent_count = count_distinct(agent.id), total_count = count(*) by auditd.data.name, process.executable, process.name
 // Alter this threshold to make sense for your environment
-| where host_count == 1 and total_count == 1
+| where agent_count == 1 and total_count <= 3
 | limit 100
 | sort auditd.data.name asc
 ```
diff --git a/hunting/linux/docs/persistence_via_loadable_kernel_modules.md b/hunting/linux/docs/persistence_via_loadable_kernel_modules.md
new file mode 100644
index 00000000000..4ef7eb0bebe
--- /dev/null
+++ b/hunting/linux/docs/persistence_via_loadable_kernel_modules.md
@@ -0,0 +1,89 @@
+# Persistence via Loadable Kernel Modules
+
+---
+
+## Metadata
+
+- **Author:** Elastic
+- **Description:** This hunt identifies potential persistence mechanisms leveraging Loadable Kernel Modules (LKMs) on Linux systems. LKMs enable dynamic extension of kernel functionality but can be abused by attackers to load malicious code into the kernel, granting them high privileges or persistence. This hunt monitors suspicious kernel module file creations, LKM-related process executions, and access to kernel module configuration files.
+
+- **UUID:** `d667d328-fadc-4a52-9b46-f42b1a83181c`
+- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint)
+- **Language:** `[ES|QL, SQL]`
+- **Source File:** [Persistence via Loadable Kernel Modules](../queries/persistence_via_loadable_kernel_modules.toml)
+
+## Query
+
+```sql
+from logs-endpoint.events.file-*
+| keep @timestamp, host.os.type, event.type, event.action, file.extension, file.path, process.executable, agent.id
+| where @timestamp > now() - 30 day
+| where host.os.type == "linux" and event.type == "creation" and file.extension == "ko" and not (
+  // Add your exclusions here
+  file.path like "/run/initramfs/*" or
+  file.path like "/var/tmp/mkinitramfs*"
+)
+| stats cc = count(), agent_count = count_distinct(agent.id) by file.path, process.executable
+| where agent_count <= 3
+| sort cc asc
+| limit 100
+```
+
+```sql
+from logs-endpoint.events.process-*
+| keep @timestamp, host.os.type, event.type, event.action, process.name, agent.id, process.args, process.args_count
+| where @timestamp > now() - 30 days
+| where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name in ("kmod", "modprobe", "insmod", "rmmod")
+| stats cc = count(), agent_count = count_distinct(agent.id) by process.args, process.args_count
+| where cc == 1 and agent_count == 1 and process.args_count <= 3
+| sort cc asc
+| limit 100
+```
+
+```sql
+SELECT
+    f.filename,
+    f.path,
+    u.username AS file_owner,
+    g.groupname AS group_owner,
+    datetime(f.atime, 'unixepoch') AS file_last_access_time,
+    datetime(f.mtime, 'unixepoch') AS file_last_modified_time,
+    datetime(f.ctime, 'unixepoch') AS file_last_status_change_time
+    datetime(f.btime, 'unixepoch') AS file_created_time,
+    f.size AS size_bytes
+FROM
+    file f
+LEFT JOIN
+    users u ON f.uid = u.uid
+LEFT JOIN
+    groups g ON f.gid = g.gid
+WHERE
+    f.path LIKE '/etc/modprobe.d/%'
+    OR f.path LIKE '/usr/lib/modprobe.d/%'
+    OR f.path LIKE '/usr/lib/security/%'
+    OR f.path LIKE '/etc/modules-load.d/%'
+    OR f.path LIKE '/run/modules-load.d/%'
+    OR f.path LIKE '/usr/local/lib/modules-load.d/%'
+    OR f.path like '/usr/lib/modules-load.d/%'
+    OR f.path = '/etc/modules'
+```
+
+```sql
+SELECT * FROM kernel_modules;
+```
+
+## Notes
+
+- Tracks the creation of loadable kernel module files (.ko) in non-standard directories to identify potential malicious modules.
+- Monitors the execution of processes related to kernel module management, such as kmod, modprobe, insmod, and rmmod, to detect suspicious or unusual activity.
+- Identifies changes to critical kernel module configuration files, including /etc/modprobe.d/, /etc/modules, and related paths.
+- Uses OSQuery queries to gather detailed metadata on kernel modules currently loaded, supporting forensic analysis of potential persistence mechanisms.
+- Provides statistics and counts to help identify rare or anomalous kernel module-related events.
+
+## MITRE ATT&CK Techniques
+
+- [T1547.006](https://attack.mitre.org/techniques/T1547/006)
+
+## License
+
+- `Elastic License v2`
diff --git a/hunting/linux/queries/persistence_via_driver_load_with_low_occurrence_frequency.toml b/hunting/linux/queries/persistence_via_driver_load_with_low_occurrence_frequency.toml
index 7ec92830c66..bf58e7075ef 100644
--- a/hunting/linux/queries/persistence_via_driver_load_with_low_occurrence_frequency.toml
+++ b/hunting/linux/queries/persistence_via_driver_load_with_low_occurrence_frequency.toml
@@ -18,11 +18,13 @@ mitre = ["T1547.006", "T1069.002"]
 query = [
 '''
 from logs-auditd_manager.auditd-*, logs-auditd.log-*, auditbeat-*
+| keep @timestamp, host.os.type, event.category, event.action, auditd.data.syscall, auditd.data.name, process.executable, process.name, agent.id
 | where @timestamp > now() - 30 day
 | where host.os.type == "linux" and event.category == "driver" and event.action == "loaded-kernel-module" and auditd.data.syscall in ("init_module", "finit_module")
-| stats host_count = count_distinct(host.id), total_count = count(*) by auditd.data.name, process.executable, process.name
+// Process name is different from executable in some cases
+| stats agent_count = count_distinct(agent.id), total_count = count(*) by auditd.data.name, process.executable, process.name
 // Alter this threshold to make sense for your environment
-| where host_count == 1 and total_count == 1
+| where agent_count == 1 and total_count <= 3
 | limit 100
 | sort auditd.data.name asc
 '''
diff --git a/hunting/linux/queries/persistence_via_loadable_kernel_modules.toml b/hunting/linux/queries/persistence_via_loadable_kernel_modules.toml
new file mode 100644
index 00000000000..fb62a4c9c92
--- /dev/null
+++ b/hunting/linux/queries/persistence_via_loadable_kernel_modules.toml
@@ -0,0 +1,75 @@
+[hunt]
+author = "Elastic"
+description = """
+This hunt identifies potential persistence mechanisms leveraging Loadable Kernel Modules (LKMs) on Linux systems. LKMs enable dynamic extension of kernel functionality but can be abused by attackers to load malicious code into the kernel, granting them high privileges or persistence. This hunt monitors suspicious kernel module file creations, LKM-related process executions, and access to kernel module configuration files.
+"""
+integration = ["endpoint"]
+uuid = "d667d328-fadc-4a52-9b46-f42b1a83181c"
+name = "Persistence via Loadable Kernel Modules"
+language = ["ES|QL", "SQL"]
+license = "Elastic License v2"
+notes = [
+    "Tracks the creation of loadable kernel module files (.ko) in non-standard directories to identify potential malicious modules.",
+    "Monitors the execution of processes related to kernel module management, such as kmod, modprobe, insmod, and rmmod, to detect suspicious or unusual activity.",
+    "Identifies changes to critical kernel module configuration files, including /etc/modprobe.d/, /etc/modules, and related paths.",
+    "Uses OSQuery queries to gather detailed metadata on kernel modules currently loaded, supporting forensic analysis of potential persistence mechanisms.",
+    "Provides statistics and counts to help identify rare or anomalous kernel module-related events."
+]
+mitre = ["T1547.006"]
+
+query = [
+'''
+from logs-endpoint.events.file-*
+| keep @timestamp, host.os.type, event.type, event.action, file.extension, file.path, process.executable, agent.id
+| where @timestamp > now() - 30 day
+| where host.os.type == "linux" and event.type == "creation" and file.extension == "ko" and not (
+  // Add your exclusions here
+  file.path like "/run/initramfs/*" or
+  file.path like "/var/tmp/mkinitramfs*"
+)
+| stats cc = count(), agent_count = count_distinct(agent.id) by file.path, process.executable
+| where agent_count <= 3
+| sort cc asc
+| limit 100
+''',
+'''
+from logs-endpoint.events.process-*
+| keep @timestamp, host.os.type, event.type, event.action, process.name, agent.id, process.args, process.args_count
+| where @timestamp > now() - 30 days
+| where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name in ("kmod", "modprobe", "insmod", "rmmod")
+| stats cc = count(), agent_count = count_distinct(agent.id) by process.args, process.args_count
+| where cc == 1 and agent_count == 1 and process.args_count <= 3
+| sort cc asc
+| limit 100
+''',
+'''
+SELECT
+    f.filename,
+    f.path,
+    u.username AS file_owner,
+    g.groupname AS group_owner,
+    datetime(f.atime, 'unixepoch') AS file_last_access_time,
+    datetime(f.mtime, 'unixepoch') AS file_last_modified_time,
+    datetime(f.ctime, 'unixepoch') AS file_last_status_change_time
+    datetime(f.btime, 'unixepoch') AS file_created_time,
+    f.size AS size_bytes
+FROM
+    file f
+LEFT JOIN
+    users u ON f.uid = u.uid
+LEFT JOIN
+    groups g ON f.gid = g.gid
+WHERE
+    f.path LIKE '/etc/modprobe.d/%'
+    OR f.path LIKE '/usr/lib/modprobe.d/%'
+    OR f.path LIKE '/usr/lib/security/%'
+    OR f.path LIKE '/etc/modules-load.d/%'
+    OR f.path LIKE '/run/modules-load.d/%'
+    OR f.path LIKE '/usr/local/lib/modules-load.d/%'
+    OR f.path like '/usr/lib/modules-load.d/%'
+    OR f.path = '/etc/modules'
+''',
+'''
+SELECT * FROM kernel_modules;
+'''
+]