# T1014 Rootkit

-----------------------------------------------------------------------

## Technique Description

Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. (Citation: Symantec Windows Rootkits) 

Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor, Master Boot Record, or [System Firmware](https://attack.mitre.org/techniques/T1542/001). (Citation: Wikipedia Rootkit) Rootkits have been seen for Windows, Linux, and Mac OS X systems. (Citation: CrowdStrike Linux Rootkit) (Citation: BlackHat Mac OSX Rootkit)

## Technique Detection

Some rootkit protections may be built into anti-virus or operating system software. There are dedicated rootkit detection tools that look for specific types of rootkit behavior. Monitor for the existence of unrecognized DLLs, devices, services, and changes to the MBR. (Citation: Wikipedia Rootkit)

-----------------------------------------------------------------------

### Tactics:

  *   Defense-Evasion

### Platforms:

  * Linux

  * macOS

  * Windows

### Defenses Bypassed:

  * Anti-virus

  * File Monitoring

  * Host Intrusion Prevention Systems

  * Application Control

  * Signature-based Detection

  * System Access Controls

### Data Sources:

  * **Drive:** Drive Modification

  * **File:** File Modification

  * **Firmware:** Firmware Modification

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| TeamTNT | [TeamTNT](https://attack.mitre.org/groups/G0139) has used the open-source rootkit Diamorphine to hide cryptocurrency mining activities on the machine.(Citation: Trend Micro TeamTNT) | 
| Rocke | [Rocke](https://attack.mitre.org/groups/G0106) has modified /etc/ld.so.preload to hook libc functions in order to hide the installed dropper and mining software in process lists.(Citation: Anomali Rocke March 2019)| 
| APT41 | [APT41](https://attack.mitre.org/groups/G0096) deployed rootkits on Linux systems.(Citation: FireEye APT41 Aug 2019)(Citation: Crowdstrike GTR2020 Mar 2020)| 
| Winnti Group | [Winnti Group](https://attack.mitre.org/groups/G0044) used a rootkit to modify typical server functionality.(Citation: Kaspersky Winnti April 2013)| 
| APT28 | [APT28](https://attack.mitre.org/groups/G0007) has used a UEFI (Unified Extensible Firmware Interface) rootkit known as [LoJax](https://attack.mitre.org/software/S0397).(Citation: Symantec APT28 Oct 2018)(Citation: ESET LoJax Sept 2018)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1014)

  * [Crowdstrike Linux Rootkit](https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/), Kurtz, G. (2012, November 19). HTTP iframe Injecting Linux Rootkit. Retrieved December 21, 2017.

  * [Blackhat Mac Osx Rootkit](http://www.blackhat.com/docs/asia-14/materials/Tsai/WP-Asia-14-Tsai-You-Cant-See-Me-A-Mac-OS-X-Rootkit-Uses-The-Tricks-You-Havent-Known-Yet.pdf), Pan, M., Tsai, S. (2014). You can’t see me: A Mac OS X Rootkit uses the tricks you haven't known yet. Retrieved December 21, 2017.

  * [Symantec Windows Rootkits](https://www.symantec.com/avcenter/reference/windows.rootkit.overview.pdf), Symantec. (n.d.). Windows Rootkit Overview. Retrieved December 21, 2017.

  * [Wikipedia Rootkit](https://en.wikipedia.org/wiki/Rootkit), Wikipedia. (2016, June 1). Rootkit. Retrieved June 2, 2016.

  * [Capec](https://capec.mitre.org/data/definitions/552.html)

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 8 July 2021

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Adversaries will use a rootkit to evade detection and establish persistence.

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| APT28 | 1, 2 ||

#### APT28	
- APT28 has used a UEFI (Unified Extensible Firmware Interface) rootkit known as LoJax.

#### LoJax	
- LoJax is a UEFI BIOS rootkit deployed to persist remote access software on some targeted systems.

#### Turla	
- Uroburos is a rootkit used by Turla.

## Detection Blindspots

- The fundamental problem with rootkit detection is that if the operating system has been subverted, particularly by a kernel-level rootkit, it cannot be trusted to find unauthorized modifications to itself or its components. Actions such as requesting a list of running processes, or a list of files in a directory, cannot be trusted to behave as expected.

## Analytical References

  * [Atomic Red Team T1014 (github)](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1014/T1014.md)
  * [Rootkit Detection (wikipedia)](https://en.wikipedia.org/wiki/Rootkit#Detection)
  * [The Epic Turla Operation (securelist)](https://securelist.com/the-epic-turla-operation/65545/)
  * [ESET Lojax (welivesecurity)](https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf)
  * [Uroburos 2014 (kaspersky)](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2014/08/20082358/uroburos.pdf)

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Monitor for the existence of unrecognized DLLs, devices, services, and changes to the MBR.
- Forcing a complete dump of virtual memory will capture an active rootkit (or a kernel dump in the case of a kernel-mode rootkit), allowing offline forensic analysis to be performed with a debugger against the resulting dump file, without the rootkit being able to take any measures to cloak itself.

### Deep Dive
- LoJax  Infected System Boot Process
  - <img src="../../Images/T1014_LoJax_Boot-Process.jpg" width="800" height="600">

- LoJax Known Malicious IOCs

  | Name | SHA-1 Hash
  | ---- | ----------
  | ReWriter_read.ex | ea728abe26bac161e110970051e1561fd51db93b
  | ReWriter_binary.exe | cc217342373967d1916cb20eca5ccb29caaf7c1b
  | SecDxe | f2be778971ad9df2082a266bd04ab657bd287413
  | info_efi.exe | 4b9e71615b37aea1eaeb5b1cfa0eee048118ff72
  | autoche.exe | 700d7e763f59e706b4f05c69911319690f85432e
  | Unknown exe | 1771e435ba25f9cdfa77168899490d87681f2029
  | Unknown exe | ddaa06a4021baf980a08caea899f2904609410b9
  | Unknown exe | 10d571d66d3ab7b9ddf6a850cb9b8e38b07623c0
  | Unknown exe | 2529f6eda28d54490119d2123d22da56783c704f
  | Unknown exe | e923ac79046ffa06f67d3f4c567e84a82dd7ff1b
  | Unknown exe | 8e138eecea8e9937a83bffe100d842d6381b6bb1
  | Unknown exe | ef860dca7d7c928b68c4218007fb9069c6e654e9
  | Unknown exe | e8f07caafb23eff83020406c21645d8ed0005ca6
  | Unknown exe | 09d2e2c26247a4a908952fee36b56b360561984f
  | Unknown exe | f90ccf57e75923812c2c1da9f56166b36d1482be
  | Unknown DLL | 397d97e278110a48bd2cb11bb5632b99a9100dbd

#### Analytic 1

  * **Information:** Detect files related to Lojax

  * **Source:** Windows Audits, Sysmon

  * **Tool:** Kibana

  * **Notes:** 
      - rpcnetp.exe = a small agent that is part of the legitimate LoJack/Computrace program used to communicate with a legitimate C2. However, the presence of this file may lead to discovery of the more malicious instance of LoJak (rootkit)
      - info_efi.exe = A custom tool that dumps info about low level system settings (LoJax Rootkit)
      - autochk.exe = Modified file of autochk.exe; used to set up persistence for rpcnetp.exe
      - Lojax is bundled with a legitimate utility called RWEverything. Look for services with the dll

  * **Query:** ```imageName : rpcnetp.exe OR imageName : info_efi.exe OR imageName : autoche.exe```
  * **Query:** ```dllName : RwDrv.sys OR (imageName : ReWriter_read.exe OR ReWriter_binary.exe)```

#### Analytic 2

  * **Information:** Detect registry modification for autocheck (Lojax)

  * **Source:** Windows Audits, Sysmon

  * **Tool:**  Kibana

  * **Notes:** 

  * **Query:** ```(regKey : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute) AND (regKeyValue : (‘autocheck autochk *’) OR (‘autocheck autoche *’))```



-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Information Here

#### Analytic 1

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```

#### Analytic 2

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```

