T1014: Rootkit
Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor, Master Boot Record, or System Firmware. Rootkits have been seen for Windows, Linux, and Mac OS X systems.
Positive Technologies products that cover the technique
Description of detection methods is not available yet
Detection
| ID | DS0016 | Data source and component | Drive: Drive Modification | Description | Monitor for changes made to drive letters or mount points of data storage devices for unexpected modifications that may be used by rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. |
|---|
| ID | DS0001 | Data source and component | Firmware: Firmware Modification | Description | Monitor for changes made to firmware for unexpected modifications to settings and/or data that may be used by rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Some rootkit protections may be built into anti-virus or operating system software. There are dedicated rootkit detection tools that look for specific types of rootkit behavior. |
|---|
| ID | DS0022 | Data source and component | File: File Modification | Description | Monitor for changes and the existence of unrecognized DLLs, drivers, devices, services, and to the MBR. |
|---|