Description
Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. (Citation: Symantec Windows Rootkits)
Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor or System Firmware. (Citation: Wikipedia Rootkit) Rootkits have been seen for Windows, Linux, and Mac OS X systems. (Citation: CrowdStrike Linux Rootkit) (Citation: BlackHat Mac OSX Rootkit)
Rootkits that reside or modify boot sectors are known as Bootkits and specifically target the boot process of the operating system.
Platforms
Threat Groups (6)
| ID | Group | Context |
|---|---|---|
| G0044 | Winnti Group | [Winnti Group](https://attack.mitre.org/groups/G0044) used a rootkit to modify typical server functionality.(Citation: Kaspersky Winnti April 2013) |
| G0096 | APT41 | [APT41](https://attack.mitre.org/groups/G0096) deployed rootkits on Linux systems.(Citation: FireEye APT41 Aug 2019)(Citation: Crowdstrike GTR2020 Mar... |
| G0106 | Rocke | [Rocke](https://attack.mitre.org/groups/G0106) has modified /etc/ld.so.preload to hook libc functions in order to hide the installed dropper and minin... |
| G0139 | TeamTNT | [TeamTNT](https://attack.mitre.org/groups/G0139) has used rootkits such as the open-source Diamorphine rootkit and their custom bots to hide cryptocur... |
| G0007 | APT28 | [APT28](https://attack.mitre.org/groups/G0007) has used a UEFI (Unified Extensible Firmware Interface) rootkit known as [LoJax](https://attack.mitre.o... |
| G1048 | UNC3886 | [UNC3886](https://attack.mitre.org/groups/G1048) has used the publicly available rootkits [REPTILE](https://attack.mitre.org/software/S1219) and [MEDU... |
Associated Software (24)
| ID | Name | Type | Context |
|---|---|---|---|
| S0377 | Ebury | Malware | [Ebury](https://attack.mitre.org/software/S0377) acts as a user land rootkit using the SSH service.(Citation: ESET Ebury Oct 2017)(Citation: ESET Ebur... |
| S0484 | Carberp | Malware | [Carberp](https://attack.mitre.org/software/S0484) has used user mode rootkit techniques to remain hidden on the system.(Citation: Prevx Carberp March... |
| S0458 | Ramsay | Malware | [Ramsay](https://attack.mitre.org/software/S0458) has included a rootkit to evade defenses.(Citation: Eset Ramsay May 2020) |
| S0502 | Drovorub | Malware | [Drovorub](https://attack.mitre.org/software/S0502) has used a kernel module rootkit to hide processes, files, executables, and network artifacts from... |
| S0040 | HTRAN | Tool | [HTRAN](https://attack.mitre.org/software/S0040) can install a rootkit to hide network connections from the host OS.(Citation: NCSC Joint Report Publi... |
| S0135 | HIDEDRV | Malware | [HIDEDRV](https://attack.mitre.org/software/S0135) is a rootkit that hides certain operating system artifacts.(Citation: ESET Sednit Part 3) |
| S0468 | Skidmap | Malware | [Skidmap](https://attack.mitre.org/software/S0468) is a kernel-mode rootkit that has the ability to hook system calls to hide specific files and fake ... |
| S0221 | Umbreon | Malware | [Umbreon](https://attack.mitre.org/software/S0221) hides from defenders by hooking libc function calls, hiding artifacts that would reveal its presenc... |
| S0603 | Stuxnet | Malware | [Stuxnet](https://attack.mitre.org/software/S0603) uses a Windows rootkit to mask its binaries and other relevant files.(Citation: Nicolas Falliere, L... |
| S1105 | COATHANGER | Malware | [COATHANGER](https://attack.mitre.org/software/S1105) hooks or replaces multiple legitimate processes and other functions on victim devices.(Citation:... |
| S0047 | Hacking Team UEFI Rootkit | Malware | [Hacking Team UEFI Rootkit](https://attack.mitre.org/software/S0047) is a UEFI BIOS rootkit developed by the company Hacking Team to persist remote ac... |
| S0394 | HiddenWasp | Malware | [HiddenWasp](https://attack.mitre.org/software/S0394) uses a rootkit to hook and implement functions on the system.(Citation: Intezer HiddenWasp Map 2... |
| S0601 | Hildegard | Malware | [Hildegard](https://attack.mitre.org/software/S0601) has modified /etc/ld.so.preload to overwrite readdir() and readdir64().(Citation: Unit 42 Hildega... |
| S1186 | Line Dancer | Malware | [Line Dancer](https://attack.mitre.org/software/S1186) can hook both the crash dump process and the Autehntication, Authorization, and Accounting (AAA... |
| S0009 | Hikit | Malware | [Hikit](https://attack.mitre.org/software/S0009) is a [Rootkit](https://attack.mitre.org/techniques/T1014) that has been used by [Axiom](https://attac... |
| S1220 | MEDUSA | Malware | [MEDUSA](https://attack.mitre.org/software/S1220) is a rootkit with command execution and credential logging capabilities.(Citation: Google Cloud Mand... |
| S1219 | REPTILE | Malware | [REPTILE](https://attack.mitre.org/software/S1219) has the ability to hook kernel functions and modify functions data to achieve rootkit functionality... |
| S0430 | Winnti for Linux | Malware | [Winnti for Linux](https://attack.mitre.org/software/S0430) has used a modified copy of the open-source userland rootkit Azazel, named libxselinux.so,... |
| S0027 | Zeroaccess | Malware | [Zeroaccess](https://attack.mitre.org/software/S0027) is a kernel-mode rootkit.(Citation: Sophos ZeroAccess) |
| S0397 | LoJax | Malware | [LoJax](https://attack.mitre.org/software/S0397) is a UEFI BIOS rootkit deployed to persist remote access software on some targeted systems.(Citation:... |
References
- Kurtz, G. (2012, November 19). HTTP iframe Injecting Linux Rootkit. Retrieved December 21, 2017.
- Pan, M., Tsai, S. (2014). You can’t see me: A Mac OS X Rootkit uses the tricks you haven't known yet. Retrieved December 21, 2017.
- Symantec. (n.d.). Windows Rootkit Overview. Retrieved December 21, 2017.
- Wikipedia. (2016, June 1). Rootkit. Retrieved June 2, 2016.
Frequently Asked Questions
What is T1014 (Rootkit)?
T1014 is a MITRE ATT&CK technique named 'Rootkit'. It belongs to the Stealth tactic(s). Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by i...
How can T1014 be detected?
Detection of T1014 (Rootkit) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1014?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1014?
Known threat groups using T1014 include: Winnti Group, APT41, Rocke, TeamTNT, APT28, UNC3886.