Home/ATT&CK Technique/Rootkit
ATT&CK Technique

Rootkit

T1014 · stealth

Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor or System Firmware.

Rootkits have been seen for Windows, Linux, and Mac OS X systems. Rootkits that reside or modify boot sectors are known as Bootkits and specifically target the boot process of the operating system.

LinuxmacOSWindows

Actors Using This

14
latin_america_brazilian_organized_cybercrimeAmavaldo
russiaAPT28
chinaAPT41
china_state_sponsored_mandiant_canonical_microsoft_mulberry_typhoonAPT5 (UNC2630 / UNC2717 / Mulberry Typhoon)
russiaAwfulShred
russia_speaking_cybercrime8Base
iran_linked_dragos_tracked_ics_activity_group_cyberav3ngers_persona_2024_disclosedBAUXITE
chinaBillbug
russia_apt_sandwormBlackEnergy
commercial_cybercrime_uefi_bootkitBlackLotus
ransomware_raas_independent_emergenceCactus
russia_apt_sandwormCaddyWiper
israel_commercial_cyber_mercenaryCandiru / Sourgum
spainCareto / The Mask

Likely Attack Path

Techniques the same actors pair with this one distinctively - those showing up among actors who use this technique noticeably more than across all actors (lift > 1.15), grouped by kill-chain phase. The × is that lift multiplier; the shared-actor count is in the tooltip. A near-universal technique pairs with everything at baseline, so its list is short by design.
initial-access same
T1200 · Hardware Additions ×2.64
persistence same
T1037.003 · Network Logon Script ×3.31T1542.001 · System Firmware ×2.83T1542.003 · Bootkit ×2.70T1037 · Boot or Logon Initialization Scripts ×2.64T1037.001 · Logon Script (Windows) ×2.64T1542 · Pre-OS Boot ×2.60
privilege-escalation same
T1055.012 · Process Hollowing ×3.31
impact same
T1488 · Disk Content Wipe ×3.31T1496 · Resource Hijacking ×3.03
other same
T0881 · Service Stop ×3.31T1562.003 · Impair Command History Logging ×3.31T1562.006 · Indicator Blocking ×3.31T1036.001 · Invalid Code Signature ×3.15T1601.001 · Patch System Image ×2.75

Atomic Tests

4
Executable Atomic Red Team test cases for exercising this technique in a lab. Copy a command, run it on the listed platform, confirm your detections fire.
shelevatedlinuxLoadable Kernel Module based Rootkit
Loadable Kernel Module based Rootkit 
sudo insmod #{rootkit_path}/#{rootkit_name}.ko
shelevatedlinuxLoadable Kernel Module based Rootkit
Loadable Kernel Module based Rootkit 
sudo modprobe #{rootkit_name}
shelevatedlinuxdynamic-linker based rootkit (libprocesshider)
Uses libprocesshider to simulate rootkit behavior by hiding a specific process name via ld.so.preload (see also T1574.006). 
echo #{library_path} | tee -a /etc/ld.so.preload
/usr/local/bin/evil_script.py localhost -c 10 >/dev/null & pgrep -l evil_script.py || echo "process hidden"
shelevatedlinuxLoadable Kernel Module based Rootkit (Diamorphine)
Loads Diamorphine kernel module, which hides itself and a processes. 
sudo modprobe #{rootkit_name}
ping -c 10 localhost >/dev/null & TARGETPID="$!"
ps $TARGETPID
kill -31 $TARGETPID
ps $TARGETPID || echo "process ${TARGETPID} hidden"

Detection Coverage

1/6 layers
Coverage across standard detection surfaces. Rows marked none have no rule of that type mapped. Some are real blind spots worth closing; others are simply not applicable to this technique (e.g. YARA matches malware files, not network behaviour).
Behavioral / log (Sigma) 1
Analytics (MITRE CAR) none
Runtime / container (Falco) none
File / malware (YARA) none
Network (Suricata/Snort) none
Vuln scan (Nuclei) none

Comply & Defend

D3FEND12 defensive techniques
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE ATT&CKAtomic Red Teamcar (MITRE)
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin