Detects invocation of the kextload utility on macOS to manually load kernel extensions (KEXTs). KEXTs execute with kernel privileges, so loading them can introduce privileged code. While legitimate for driver installation and system administration, misuse may enable persistence, privilege escalation, or kernel-level persistence. The rule leverages osquery results to identify processes named kextload (excluding common -h/--help invocations) and surfaces contextual fields such as destination, original file name, parent process, process identifiers, executable path, user, and vendor/product information for analysis. Drill-down searches and risk correlation rely on user/host relationships and risk events to contextualize potential kernel extension loading. The rule’s RBA flags a possible kernel extension loaded on a host by a user via a process. Known false positives include administrators installing drivers. Implementation guidance emphasizes macOS process auditing and deployment of the TA-OSquery to populate data models across indexers/forwarders. The rule aligns with MacOS Privilege Escalation and MacOS Persistence Techniques (MITRE ATT&CK T1543).