T1014.md

T1014 - Rootkit

Description from ATT&CK

Rootkits are programs that hide the existence of malware by intercepting (i.e., Hooking) and modifying operating system API calls that supply system information. (Citation: Symantec Windows Rootkits) Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a Hypervisor, Master Boot Record, or the System Firmware. (Citation: Wikipedia Rootkit)

Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits have been seen for Windows, Linux, and Mac OS X systems. (Citation: CrowdStrike Linux Rootkit) (Citation: BlackHat Mac OSX Rootkit)

Detection: Some rootkit protections may be built into anti-virus or operating system software. There are dedicated rootkit detection tools that look for specific types of rootkit behavior. Monitor for the existence of unrecognized DLLs, devices, services, and changes to the MBR. (Citation: Wikipedia Rootkit)

Platforms: Linux, macOS, Windows

Data Sources: BIOS, MBR, System calls

Defense Bypassed: Anti-virus, File monitoring, Host intrusion prevention systems, Process whitelisting, Signature-based detection, System access controls, Whitelisting by file name or path

Permissions Required: Administrator, SYSTEM, root

Atomic Tests

• Atomic Test #1 - Loadable Kernel Module based Rootkit

• Atomic Test #2 - Loadable Kernel Module based Rootkit

• Atomic Test #3 - LD_PRELOAD based Rootkit

• Atomic Test #4 - Windows Signed Driver Rootkit Test

Atomic Test #1 - Loadable Kernel Module based Rootkit

Loadable Kernel Module based Rootkit

Supported Platforms: Linux

Inputs

Name	Description	Type	Default Value
rootkit_file	Path To Module	String	Module.ko

Run it with sh!

sudo insmod #{rootkit_file}

Atomic Test #2 - Loadable Kernel Module based Rootkit

Loadable Kernel Module based Rootkit

Supported Platforms: Linux

Inputs

Name	Description	Type	Default Value
rootkit_file	Path To Module	String	Module.ko

Run it with sh!

sudo modprobe #{rootkit_file}

Atomic Test #3 - LD_PRELOAD based Rootkit

LD_PRELOAD based Rootkit

Supported Platforms: Linux

Run it with sh!

export LD_PRELOAD=$PWD/#{rootkit_file}

Atomic Test #4 - Windows Signed Driver Rootkit Test

This test exploits a signed driver to execute code in Kernel. SHA1 C1D5CF8C43E7679B782630E93F5E6420CA1749A7 We leverage the work done here: https://zerosum0x0.blogspot.com/2017/07/puppet-strings-dirty-secret-for-free.html The hash of our PoC Exploit is SHA1 DD8DA630C00953B6D5182AA66AF999B1E117F441 This will simulate hiding a process. It would be wise if you only run this in a test environment

Supported Platforms: Windows

Inputs

Name	Description	Type	Default Value
driver_path	Path to the vulnerable driver	Path	C:\Drivers\driver.sys

Run it with command_prompt!

puppetstrings #{driver_path}