Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. [1]

Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor, Master Boot Record, or System Firmware. [2] Rootkits have been seen for Windows, Linux, and Mac OS X systems. [3] [4]

ID: T1014
Sub-techniques:  No sub-techniques
Tactic: Defense Evasion
Platforms: Linux, Windows, macOS
Permissions Required: Administrator, SYSTEM, root
Data Sources: BIOS, MBR, System calls
Defense Bypassed: Anti-virus, Application control, Application control by file name or path, File monitoring, Host intrusion prevention systems, Signature-based detection, System access controls
Version: 1.1
Created: 31 May 2017
Last Modified: 20 June 2020

Procedure Examples

Name Description

APT28 has used a UEFI (Unified Extensible Firmware Interface) rootkit known as LoJax.[5][6]


APT41 deployed rootkits on Linux systems.[7]


Carberp has used user mode rootkit techniques to remain hidden on the system.[8]


Drovorub has used a kernel module rootkit to hide processes, files, executables, and network artifacts from user space view.[9]

Hacking Team UEFI Rootkit

Hacking Team UEFI Rootkit is a UEFI BIOS rootkit developed by the company Hacking Team to persist remote access software on some targeted systems.[10]


HiddenWasp uses a rootkit to hook and implement functions on the system.[11]


HIDEDRV is a rootkit that hides certain operating system artifacts.[12]


Hikit is a Rootkit that has been used by Axiom.[13] [14]


HTRAN can install a rootkit to hide network connections from the host OS.[15]


LoJax is a UEFI BIOS rootkit deployed to persist remote access software on some targeted systems.[6]


PoisonIvy starts a rootkit from a malicious file dropped to disk.[16]


Ramsay has included a rootkit to evade defenses.[17]


Rocke has modified /etc/ to hook libc functions in order to hide the installed dropper and mining software in process lists.[18]


Skidmap is a kernel-mode rootkit that has the ability to hook system calls to hide specific files and fake network and CPU-related statistics to make the CPU load of the infected machine always appear low.[19]


Umbreon hides from defenders by hooking libc function calls, hiding artifacts that would reveal its presence, such as the user account it creates to provide access and undermining strace, a tool often used to identify malware.[20]


Uroburos is a rootkit used by Turla.[21]

Winnti for Linux

Winnti for Linux has used a modified copy of the open-source userland rootkit Azazel, named, to hide the malware's operations and network activity.[22]

Winnti Group

Winnti Group used a rootkit to modify typical server functionality.[23]


Zeroaccess is a kernel-mode rootkit.[24]


This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.


Some rootkit protections may be built into anti-virus or operating system software. There are dedicated rootkit detection tools that look for specific types of rootkit behavior. Monitor for the existence of unrecognized DLLs, devices, services, and changes to the MBR. [2]


  1. Glyer, C., Kazanciyan, R. (2012, August 20). The “Hikit” Rootkit: Advanced and Persistent Attack Techniques (Part 1). Retrieved June 6, 2016.
  2. Glyer, C., Kazanciyan, R. (2012, August 22). The “Hikit” Rootkit: Advanced and Persistent Attack Techniques (Part 2). Retrieved May 4, 2020.
  3. The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019.
  4. Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018.
  5. Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020.
  6. Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019.
  7. Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020.
  8. Fernando Mercês. (2016, September 5). Pokémon-themed Umbreon Linux Rootkit Hits x86, ARM Systems. Retrieved March 5, 2018.
  9. Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.
  10. Chronicle Blog. (2019, May 15). Winnti: More than just Windows and Gates. Retrieved April 29, 2020.
  11. Kaspersky Lab's Global Research and Analysis Team. (2013, April 11). Winnti. More than just a game. Retrieved February 8, 2017.
  12. Wyke, J. (2012, April). ZeroAccess. Retrieved July 18, 2016.