T1014: Rootkit

Data from MITRE ATT&CK®:

Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. (Citation: Symantec Windows Rootkits)

Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor, Master Boot Record, or System Firmware. (Citation: Wikipedia Rootkit) Rootkits have been seen for Windows, Linux, and Mac OS X systems. (Citation: CrowdStrike Linux Rootkit) (Citation: BlackHat Mac OSX Rootkit)

© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

File Modification (File)

Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)

Drive Modification (Drive)

Changes made to a drive letter or mount point of a data storage device

Firmware Modification (Firmware)

Changes made to firmware, including its settings and/or data, such as MBR (Master Boot Record) and VBR (Volume Boot Record)

Loadable Kernel Module based Rootkit

linux

Loadable Kernel Module based Rootkit

linux

Loadable Kernel Module based Rootkit (Diamorphine)

linux

dynamic-linker based rootkit (libprocesshider)

linux

Triple Cross eBPF Rootkit Install Commands

linux process creation