EXPLORE

← Back to Explore

T1014

Rootkit

Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. (Citation: Symantec Windows Rootkits) Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor or [System Firmware](https:...

LinuxmacOSWindows

29

Detections

4

Sources

6

Threat Actors

BY SOURCE

22elastic5splunk_escu1crowdstrike_cql1sigma

PROCEDURES (20)

Kernel5 detections

Auto-extracted: 5 detections for kernel

Driver3 detections

Auto-extracted: 3 detections for driver

Privilege2 detections

Auto-extracted: 2 detections for privilege

Process Creation Monitoring2 detections

Auto-extracted: 2 detections for process creation monitoring

Evasion2 detections

Auto-extracted: 2 detections for evasion

Evasion1 detections

Auto-extracted: 1 detections for evasion

Tamper1 detections

Auto-extracted: 1 detections for tamper

Tamper1 detections

Auto-extracted: 1 detections for tamper

Unusual1 detections

Auto-extracted: 1 detections for unusual

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Kernel1 detections

Auto-extracted: 1 detections for kernel

Persist1 detections

Auto-extracted: 1 detections for persist

Masquerad1 detections

Auto-extracted: 1 detections for masquerad

Persist1 detections

Auto-extracted: 1 detections for persist

Parent Process1 detections

Auto-extracted: 1 detections for parent process

Unusual1 detections

Auto-extracted: 1 detections for unusual

General Monitoring1 detections

Auto-extracted: 1 detections for general monitoring

Parent Process1 detections

Auto-extracted: 1 detections for parent process

Masquerad1 detections

Auto-extracted: 1 detections for masquerad

Kernel Monitoring1 detections

Auto-extracted: 1 detections for kernel monitoring

THREAT ACTORS (6)

APT28 APT41 Rocke TeamTNT UNC3886 Winnti Group

DETECTIONS (29)

BPF Program or Map Load via bpftool

BPF Program Tampering via bpftool

BYOVD Driver Load with EDR/AV Process Termination (Medusa Ransomware)

crowdstrike_cql

Kernel Driver Load

Kernel Driver Load by non-root User

Kernel Instrumentation Discovery via kprobes and tracefs

Kernel Load or Unload via Kexec Detected

Kernel Module Load from Unusual Location

Kernel Module Load via Built-in Utility

Kernel Object File Creation

Kernel Seeking Activity

Kernel Unpacking Activity

Linux Auditd Kernel Module Enumeration

Linux Kernel Module Enumeration

Linux Medusa Rootkit

Loadable Kernel Module Configuration File Creation

Network Activity Detected via Kworker

Potential Persistence via File Modification

Suspicious File Creation via Kworker

Suspicious Kworker UID Elevation

Suspicious Usage of bpf_probe_write_user Helper

Tainted Kernel Module Load

Tainted Out-Of-Tree Kernel Module Load

Triple Cross eBPF Rootkit Install Commands

UID Elevation from Previously Unknown Executable

Unusual Execution from Kernel Thread (kthreadd) Parent

Unusual Kill Signal

Windows Driver Load Non-Standard Path

Windows Drivers Loaded by Signature