Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. 
Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor, Master Boot Record, or System Firmware.  Rootkits have been seen for Windows, Linux, and Mac OS X systems.  
|S0047||Hacking Team UEFI Rootkit|
Skidmap is a kernel-mode rootkit that has the ability to hook system calls to hide specific files and fake network and CPU-related statistics to make the CPU load of the infected machine always appear low.
Umbreon hides from defenders by hooking libc function calls, hiding artifacts that would reveal its presence, such as the user account it creates to provide access and undermining strace, a tool often used to identify malware.
|S0430||Winnti for Linux|
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
|ID||Data Source||Data Component||Detects|
Monitor for changes made to drive letters or mount points of data storage devices for unexpected modifications that may be used by rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components.
Monitor for changes and the existence of unrecognized DLLs, drivers, devices, services, and to the MBR. 
Monitor for changes made to firmware for unexpected modifications to settings and/or data that may be used by rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Some rootkit protections may be built into anti-virus or operating system software. There are dedicated rootkit detection tools that look for specific types of rootkit behavior.