Keypoints
- Rootkits intercept and modify OS API calls to conceal processes, files, network connections, and system objects.
- They can operate at user, kernel, hypervisor, boot (MBR), or firmware levels, increasing persistence and stealth.
- Detection needs multiple data sources: file and drive changes, firmware and boot record integrity, and unexpected drivers or services.
- Use specialized rootkit scanners, EDR behavioral rules, and firmware/boot integrity checks to reduce blind spots.
- Common challenges include false positives from legitimate low-level drivers and difficulty detecting kernel/firmware-level modifications.
Description:
- Like a magician removing evidence from a stage, a rootkit hides the existence of malicious actors and their tools so defenders see only what the attacker wants them to see.
- Rootkits hook or replace OS interfaces and low-level components so they can hide files, processes, drivers, network sockets, and modifications at user, kernel, boot, or firmware levels, enabling persistent, covert access and evasion of detection and remediation.
Detection:
- Use EDR/AV tools with rootkit-specific modules to scan for hooking, code injections, and unexpected kernel modules or drivers.
- Perform offline or trusted-boot scans of drives and MBR/GPT to detect unauthorized boot-record or bootloader changes.
- Monitor file integrity (FIM) and drive modification logs for unexpected changes to system directories, kernel modules, drivers, and critical binaries.
- Collect and analyze kernel and driver load events, unexpected device creation, and unsigned or anomalous driver signatures.
- Audit firmware integrity using vendor tools and UEFI/BIOS attestation; alert on firmware modification or mismatched firmware hashes.
- Correlate unusual API call patterns, hooking behavior, or discrepancies between userland process listings and kernel process tables using kernel-level telemetry or live memory analysis tools (e.g., volatility, Rekall).
- Expect false positives from legitimate security or monitoring drivers; validate findings by cross-checking with offline images, vendor whitelists, and known-good baselines before remediation.
Tactics:
Defense Evasion
Platforms:
Linux, Windows, macOS
Data Sources:
Drive: Drive Modification, File: File Modification, Firmware: Firmware Modification
Relationship Citations:
(Citation: Crowdstrike GTR2020 Mar 2020),(Citation: FireEye APT41 Aug 2019),(Citation: NCSC Joint Report Public Tools),(Citation: Intezer HiddenWasp Map 2019),(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023),(Citation: Kaspersky Turla),(Citation: NSA/FBI Drovorub August 2020),(Citation: TrendMicro Hacking Team UEFI),(Citation: Symantec Darkmoon Aug 2005),(Citation: NCSC-NL COATHANGER Feb 2024),(Citation: Check Point Warzone Feb 2020),(Citation: Anomali Rocke March 2019),(Citation: Umbreon Trend Micro),(Citation: ClearSky Lebanese Cedar Jan 2021),(Citation: FireEye Hikit Rootkit),(Citation: ESET Ebury Oct 2017),(Citation: Kaspersky Winnti April 2013),(Citation: Chronicle Winnti for Linux May 2019),(Citation: Prevx Carberp March 2011),(Citation: Symantec APT28 Oct 2018),(Citation: Cisco Talos Intelligence Group),(Citation: ESET LoJax Sept 2018),(Citation: Unit 42 Hildegard Malware),(Citation: Trend Micro Skidmap),(Citation: Cisco ArcaneDoor 2024),(Citation: Eset Ramsay May 2020),(Citation: Trend Micro TeamTNT),(Citation: ESET Sednit Part 3),(Citation: Sophos ZeroAccess),(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011),(Citation: FireEye HIKIT Rootkit Part 2),(Citation: ESET Ebury May 2024),
Read More: https://attack.mitre.org/techniques/T1014