Rootkit

From ATT&CK
Jump to: navigation, search
Rootkit
Technique
ID T1014
Tactic Defense Evasion
Platform Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1
Permissions Required Administrator, SYSTEM
Data Sources BIOS, MBR, System calls
Defense Bypassed Anti-virus, File monitoring, Host intrusion prevention systems, Process whitelisting, Signature-based detection, System access controls, Whitelisting by file name or path

Rootkits are programs that hide the existence of malware by intercepting and modifying operating system API calls that supply system information. Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a Hypervisor, Master Boot Record, or the Basic Input/Output System.1

Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components.

Examples

  • Winnti Group used a rootkit to modify typical server functionality.2
  • Uroburos is a rootkit used by Turla.3
  • Zeroaccess is a kernel-mode rootkit.4
  • Hacking Team UEFI Rootkit is a UEFI BIOS rootkit developed by the company Hacking Team to persist remote access software on some targeted systems.5
  • HIDEDRV is a rootkit that hides certain operating system artifacts.6

Mitigation

Identify potentially malicious software that may contain rootkit functionality, and audit and/or block it by using whitelisting7 tools, like AppLocker,89 or Software Restriction Policies10 where appropriate.11

Detection

Some rootkit protections may be built into anti-virus or operating system software. There are dedicated rootkit detection tools that look for specific types of rootkit behavior. Monitor for the existence of unrecognized DLLs, devices, services, and changes to the MBR.1