Esc
Rootkit - T1014
(ATT&CK® Technique)
Definition
Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1014["Rootkit"] --> |may-modify| Firmware["Firmware"]; class T1014 OffensiveTechniqueNode;
class Firmware ArtifactNode; click Firmware href "/dao/artifact/d3f:Firmware";
click T1014 href "/offensive-technique/attack/T1014/"; click Firmware href "/dao/artifact/d3f:Firmware"; T1014["Rootkit"] --> |may-modify| BootSector["Boot Sector"]; class T1014 OffensiveTechniqueNode;
class BootSector ArtifactNode; click BootSector href "/dao/artifact/d3f:BootSector";
click T1014 href "/offensive-technique/attack/T1014/"; click BootSector href "/dao/artifact/d3f:BootSector"; T1014["Rootkit"] --> |may-modify| Kernel["Kernel"]; class T1014 OffensiveTechniqueNode;
class Kernel ArtifactNode; click Kernel href "/dao/artifact/d3f:Kernel";
click T1014 href "/offensive-technique/attack/T1014/"; click Kernel href "/dao/artifact/d3f:Kernel"; T1014["Rootkit"] --> |may-modify| KernelModule["Kernel Module"]; class T1014 OffensiveTechniqueNode;
class KernelModule ArtifactNode; click KernelModule href "/dao/artifact/d3f:KernelModule";
click T1014 href "/offensive-technique/attack/T1014/"; click KernelModule href "/dao/artifact/d3f:KernelModule"; T1014["Rootkit"] --> |may-modify| SharedLibraryFile["Shared Library File"]; class T1014 OffensiveTechniqueNode;
class SharedLibraryFile ArtifactNode; click SharedLibraryFile href "/dao/artifact/d3f:SharedLibraryFile";
click T1014 href "/offensive-technique/attack/T1014/"; click SharedLibraryFile href "/dao/artifact/d3f:SharedLibraryFile"; DecoyFile["Decoy File"] -->
| spoofs | KernelModule["Kernel Module"];
DecoyFile["Decoy File"] -.->
| may-deceive | T1014["Rootkit"] ;
class DecoyFile DefensiveTechniqueNode;
class KernelModule ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; DecoyFile["Decoy File"] -->
| spoofs | SharedLibraryFile["Shared Library File"];
class DecoyFile DefensiveTechniqueNode;
class SharedLibraryFile ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | KernelModule["Kernel Module"];
FileIntegrityMonitoring["File Integrity Monitoring"] -.->
| may-detect | T1014["Rootkit"] ;
class FileIntegrityMonitoring DefensiveTechniqueNode;
class KernelModule ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FirmwareEmbeddedMonitoringCode["Firmware Embedded Monitoring Code"] -->
| analyzes | Firmware["Firmware"];
FirmwareEmbeddedMonitoringCode["Firmware Embedded Monitoring Code"] -.->
| may-detect | T1014["Rootkit"] ;
class FirmwareEmbeddedMonitoringCode DefensiveTechniqueNode;
class Firmware ArtifactNode;
click FirmwareEmbeddedMonitoringCode href "/technique/d3f:FirmwareEmbeddedMonitoringCode"; FirmwareVerification["Firmware Verification"] -->
| verifies | Firmware["Firmware"];
FirmwareVerification["Firmware Verification"] -.->
| may-detect | T1014["Rootkit"] ;
class FirmwareVerification DefensiveTechniqueNode;
class Firmware ArtifactNode;
click FirmwareVerification href "/technique/d3f:FirmwareVerification"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | SharedLibraryFile["Shared Library File"];
class FileIntegrityMonitoring DefensiveTechniqueNode;
class SharedLibraryFile ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FirmwareBehaviorAnalysis["Firmware Behavior Analysis"] -->
| analyzes | Firmware["Firmware"];
FirmwareBehaviorAnalysis["Firmware Behavior Analysis"] -.->
| may-detect | T1014["Rootkit"] ;
class FirmwareBehaviorAnalysis DefensiveTechniqueNode;
class Firmware ArtifactNode;
click FirmwareBehaviorAnalysis href "/technique/d3f:FirmwareBehaviorAnalysis"; FileEviction["File Eviction"] -->
| deletes | SharedLibraryFile["Shared Library File"];
FileEviction["File Eviction"] -.->
| may-evict | T1014["Rootkit"] ;
class FileEviction DefensiveTechniqueNode;
class SharedLibraryFile ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; FileEviction["File Eviction"] -->
| deletes | KernelModule["Kernel Module"];
class FileEviction DefensiveTechniqueNode;
class KernelModule ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; FileEncryption["File Encryption"] -->
| encrypts | SharedLibraryFile["Shared Library File"];
FileEncryption["File Encryption"] -.->
| may-harden | T1014["Rootkit"] ;
class FileEncryption DefensiveTechniqueNode;
class SharedLibraryFile ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; SoftwareUpdate["Software Update"] -->
| updates | Firmware["Firmware"];
SoftwareUpdate["Software Update"] -.->
| may-harden | T1014["Rootkit"] ;
class SoftwareUpdate DefensiveTechniqueNode;
class Firmware ArtifactNode;
click SoftwareUpdate href "/technique/d3f:SoftwareUpdate"; SoftwareUpdate["Software Update"] -->
| updates | Kernel["Kernel"];
class SoftwareUpdate DefensiveTechniqueNode;
class Kernel ArtifactNode;
click SoftwareUpdate href "/technique/d3f:SoftwareUpdate"; FileEncryption["File Encryption"] -->
| encrypts | KernelModule["Kernel Module"];
class FileEncryption DefensiveTechniqueNode;
class KernelModule ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; ContentQuarantine["Content Quarantine"] -->
| quarantines | KernelModule["Kernel Module"];
ContentQuarantine["Content Quarantine"] -.->
| may-isolate | T1014["Rootkit"] ;
class ContentQuarantine DefensiveTechniqueNode;
class KernelModule ArtifactNode;
click ContentQuarantine href "/technique/d3f:ContentQuarantine"; ContentModification["Content Modification"] -->
| modifies | KernelModule["Kernel Module"];
ContentModification["Content Modification"] -.->
| may-isolate | T1014["Rootkit"] ;
class ContentModification DefensiveTechniqueNode;
class KernelModule ArtifactNode;
click ContentModification href "/technique/d3f:ContentModification"; ContentModification["Content Modification"] -->
| modifies | SharedLibraryFile["Shared Library File"];
class ContentModification DefensiveTechniqueNode;
class SharedLibraryFile ArtifactNode;
click ContentModification href "/technique/d3f:ContentModification"; ContentQuarantine["Content Quarantine"] -->
| quarantines | SharedLibraryFile["Shared Library File"];
class ContentQuarantine DefensiveTechniqueNode;
class SharedLibraryFile ArtifactNode;
click ContentQuarantine href "/technique/d3f:ContentQuarantine"; LocalFilePermissions["Local File Permissions"] -->
| restricts | KernelModule["Kernel Module"];
LocalFilePermissions["Local File Permissions"] -.->
| may-isolate | T1014["Rootkit"] ;
class LocalFilePermissions DefensiveTechniqueNode;
class KernelModule ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; LocalFilePermissions["Local File Permissions"] -->
| restricts | SharedLibraryFile["Shared Library File"];
class LocalFilePermissions DefensiveTechniqueNode;
class SharedLibraryFile ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; RestoreSoftware["Restore Software"] -->
| restores | Kernel["Kernel"];
RestoreSoftware["Restore Software"] -.->
| may-restore | T1014["Rootkit"] ;
class RestoreSoftware DefensiveTechniqueNode;
class Kernel ArtifactNode;
click RestoreSoftware href "/technique/d3f:RestoreSoftware"; RestoreFile["Restore File"] -->
| restores | KernelModule["Kernel Module"];
RestoreFile["Restore File"] -.->
| may-restore | T1014["Rootkit"] ;
class RestoreFile DefensiveTechniqueNode;
class KernelModule ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; RestoreFile["Restore File"] -->
| restores | SharedLibraryFile["Shared Library File"];
class RestoreFile DefensiveTechniqueNode;
class SharedLibraryFile ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; RestoreSoftware["Restore Software"] -->
| restores | Firmware["Firmware"];
class RestoreSoftware DefensiveTechniqueNode;
class Firmware ArtifactNode;
click RestoreSoftware href "/technique/d3f:RestoreSoftware"; FileAnalysis["File Analysis"] -->
| analyzes | SharedLibraryFile["Shared Library File"];
FileAnalysis["File Analysis"] -.->
| may-detect | T1014["Rootkit"] ;
class FileAnalysis DefensiveTechniqueNode;
class SharedLibraryFile ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; FileAnalysis["File Analysis"] -->
| analyzes | KernelModule["Kernel Module"];
class FileAnalysis DefensiveTechniqueNode;
class KernelModule ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; ContentFiltering["Content Filtering"] -->
| filters | KernelModule["Kernel Module"];
ContentFiltering["Content Filtering"] -.->
| may-isolate | T1014["Rootkit"] ;
class ContentFiltering DefensiveTechniqueNode;
class KernelModule ArtifactNode;
click ContentFiltering href "/technique/d3f:ContentFiltering"; ContentFiltering["Content Filtering"] -->
| filters | SharedLibraryFile["Shared Library File"];
class ContentFiltering DefensiveTechniqueNode;
class SharedLibraryFile ArtifactNode;
click ContentFiltering href "/technique/d3f:ContentFiltering"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | SharedLibraryFile["Shared Library File"];
RemoteFileAccessMediation["Remote File Access Mediation"] -.->
| may-isolate | T1014["Rootkit"] ;
class RemoteFileAccessMediation DefensiveTechniqueNode;
class SharedLibraryFile ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | KernelModule["Kernel Module"];
class RemoteFileAccessMediation DefensiveTechniqueNode;
class KernelModule ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation";