Rootkits are programs that hide the existence of malware by intercepting (i.e., Hooking) and modifying operating system API calls that supply system information. (Citation: Symantec Windows Rootkits) Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a Hypervisor, Master Boot Record, or the System Firmware. (Citation: Wikipedia Rootkit)Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits have been seen for Windows, Linux, and Mac OS X systems. (Citation: CrowdStrike Linux Rootkit) (Citation: BlackHat Mac OSX Rootkit)
Detection: Some rootkit protections may be built into anti-virus or operating system software. There are dedicated rootkit detection tools that look for specific types of rootkit behavior. Monitor for the existence of unrecognized DLLs, devices, services, and changes to the MBR. (Citation: Wikipedia Rootkit)
Platforms: Linux, macOS, Windows
Data Sources: BIOS, MBR, System calls
Defense Bypassed: Anti-virus, File monitoring, Host intrusion prevention systems, Process whitelisting, Signature-based detection, System access controls, Whitelisting by file name or path
Permissions Required: Administrator, SYSTEM, root
Loadable Kernel Module based Rootkit
Supported Platforms: Linux
| Name | Description | Type | Default Value |
|---|---|---|---|
| rootkit_file | Path To Module | String | Module.ko |
sudo insmod #{rootkit_file}
Loadable Kernel Module based Rootkit
Supported Platforms: Linux
| Name | Description | Type | Default Value |
|---|---|---|---|
| rootkit_file | Path To Module | String | Module.ko |
sudo modprobe #{rootkit_file}
LD_PRELOAD based Rootkit
Supported Platforms: Linux
export LD_PRELOAD=$PWD/#{rootkit_file}