EXPLORE
Sign In
← Back to Explore
T1014

Rootkit

Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. (Citation: Symantec Windows Rootkits) Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor or [System Firmware](https:...

LinuxmacOSWindows
30
Detections
4
Sources
6
Threat Actors

BY SOURCE

22elastic5splunk_escu2crowdstrike_cql1sigma

PROCEDURES (20)

Kernel6 detections

Auto-extracted: 6 detections for kernel

Evasion2 detections

Auto-extracted: 2 detections for evasion

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

Tamper1 detections

Auto-extracted: 1 detections for tamper

Unusual1 detections

Auto-extracted: 1 detections for unusual

Kernel1 detections

Auto-extracted: 1 detections for kernel

Persist1 detections

Auto-extracted: 1 detections for persist

Masquerad1 detections

Auto-extracted: 1 detections for masquerad

Kernel Monitoring1 detections

Auto-extracted: 1 detections for kernel monitoring

Persist1 detections

Auto-extracted: 1 detections for persist

Parent Process1 detections

Auto-extracted: 1 detections for parent process

Masquerad1 detections

Auto-extracted: 1 detections for masquerad

Process Creation Monitoring1 detections

Auto-extracted: 1 detections for process creation monitoring

General Monitoring1 detections

Auto-extracted: 1 detections for general monitoring

Unusual1 detections

Auto-extracted: 1 detections for unusual

General Monitoring1 detections

Auto-extracted: 1 detections for general monitoring

Parent Process1 detections

Auto-extracted: 1 detections for parent process

Unusual1 detections

Auto-extracted: 1 detections for unusual

Evasion1 detections

Auto-extracted: 1 detections for evasion

Tamper1 detections

Auto-extracted: 1 detections for tamper

THREAT ACTORS (6)

APT28APT41RockeTeamTNTUNC3886Winnti Group

DETECTIONS (30)

BPF Program or Map Load via bpftool
elasticmedium
BPF Program Tampering via bpftool
elasticmedium
BYOVD Driver Load with EDR/AV Process Termination (Medusa Ransomware)
crowdstrike_cql
BYOVD Driver Load with EDR/AV Process Termination (Medusa Ransomware)
crowdstrike_cql
Kernel Driver Load
elasticlow
Kernel Driver Load by non-root User
elasticmedium
Kernel Instrumentation Discovery via kprobes and tracefs
elasticlow
Kernel Load or Unload via Kexec Detected
elasticmedium
Kernel Module Load from Unusual Location
elastichigh
Kernel Module Load via Built-in Utility
elasticmedium
Kernel Object File Creation
elasticlow
Kernel Seeking Activity
elasticmedium
Kernel Unpacking Activity
elasticmedium
Linux Auditd Kernel Module Enumeration
splunk_escu
Linux Kernel Module Enumeration
splunk_escu
Linux Medusa Rootkit
splunk_escu
Loadable Kernel Module Configuration File Creation
elasticmedium
Network Activity Detected via Kworker
elasticlow
Potential Persistence via File Modification
elasticlow
Suspicious File Creation via Kworker
elasticmedium
Suspicious Kworker UID Elevation
elasticmedium
Suspicious Usage of bpf_probe_write_user Helper
elastichigh
Tainted Kernel Module Load
elasticmedium
Tainted Out-Of-Tree Kernel Module Load
elasticmedium
Triple Cross eBPF Rootkit Install Commands
sigmahigh
UID Elevation from Previously Unknown Executable
elastichigh
Unusual Execution from Kernel Thread (kthreadd) Parent
elasticmedium
Unusual Kill Signal
elastichigh
Windows Driver Load Non-Standard Path
splunk_escu
Windows Drivers Loaded by Signature
splunk_escu