Thanks to all of our ATT&CKcon participants. All sessions are here, and individual presentations will be posted soon.

Rootkit

Rootkits are programs that hide the existence of malware by intercepting (i.e., Hooking) and modifying operating system API calls that supply system information. [1] Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a Hypervisor, Master Boot Record, or the System Firmware. [2]

Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits have been seen for Windows, Linux, and Mac OS X systems. [3] [4]

ID: T1014

Tactic: Defense Evasion

Platform:  Linux, macOS, Windows

Permissions Required:  Administrator, SYSTEM, root

Data Sources:  BIOS, MBR, System calls

Defense Bypassed:  File monitoring, Host intrusion prevention systems, Process whitelisting, Signature-based detection, System access controls, Whitelisting by file name or path, Anti-virus

Version: 1.0

Examples

NameDescription
Hacking Team UEFI Rootkit

Hacking Team UEFI Rootkit is a UEFI BIOS rootkit developed by the company Hacking Team to persist remote access software on some targeted systems.[5]

HIDEDRV

HIDEDRV is a rootkit that hides certain operating system artifacts.[6]

PoisonIvy

PoisonIvy starts a rootkit from a malicious file dropped to disk.[7]

Umbreon

Umbreon hides from defenders by hooking libc function calls, hiding artifacts that would reveal its presence, such as the user account it creates to provide access and undermining strace, a tool often used to identify malware.[8]

Uroburos

Uroburos is a rootkit used by Turla.[9]

Winnti Group

Winnti Group used a rootkit to modify typical server functionality.[10]

Zeroaccess

Zeroaccess is a kernel-mode rootkit.[11]

Mitigation

Identify potentially malicious software that may contain rootkit functionality, and audit and/or block it by using whitelisting [12] tools, like AppLocker, [13] [14] or Software Restriction Policies [15] where appropriate. [16]

Detection

Some rootkit protections may be built into anti-virus or operating system software. There are dedicated rootkit detection tools that look for specific types of rootkit behavior. Monitor for the existence of unrecognized DLLs, devices, services, and changes to the MBR. [2]

References