File size: 4,504 Bytes
5fe70fd |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 |
{
"type": "bundle",
"id": "bundle--53a33f3a-09b5-4db4-a9d4-2cf99be79908",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-03-30T21:01:50.568Z",
"name": "Rootkit",
"description": "Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. (Citation: Symantec Windows Rootkits) \n\nRootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor, Master Boot Record, or [System Firmware](https://attack.mitre.org/techniques/T1542/001). (Citation: Wikipedia Rootkit) Rootkits have been seen for Windows, Linux, and Mac OS X systems. (Citation: CrowdStrike Linux Rootkit) (Citation: BlackHat Mac OSX Rootkit)",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "defense-evasion"
}
],
"x_mitre_attack_spec_version": "2.1.0",
"x_mitre_deprecated": false,
"x_mitre_detection": "Some rootkit protections may be built into anti-virus or operating system software. There are dedicated rootkit detection tools that look for specific types of rootkit behavior. Monitor for the existence of unrecognized DLLs, devices, services, and changes to the MBR. (Citation: Wikipedia Rootkit)",
"x_mitre_domains": [
"enterprise-attack"
],
"x_mitre_is_subtechnique": false,
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_platforms": [
"Linux",
"macOS",
"Windows"
],
"x_mitre_version": "1.1",
"x_mitre_data_sources": [
"File: File Modification",
"Drive: Drive Modification",
"Firmware: Firmware Modification"
],
"x_mitre_defense_bypassed": [
"Anti-virus",
"File Monitoring",
"Host Intrusion Prevention Systems",
"Application Control",
"Signature-based Detection",
"System Access Controls"
],
"type": "attack-pattern",
"id": "attack-pattern--0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b",
"created": "2017-05-31T21:30:26.496Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/techniques/T1014",
"external_id": "T1014"
},
{
"source_name": "CrowdStrike Linux Rootkit",
"description": "Kurtz, G. (2012, November 19). HTTP iframe Injecting Linux Rootkit. Retrieved December 21, 2017.",
"url": "https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/"
},
{
"source_name": "BlackHat Mac OSX Rootkit",
"description": "Pan, M., Tsai, S. (2014). You can\u2019t see me: A Mac OS X Rootkit uses the tricks you haven't known yet. Retrieved December 21, 2017.",
"url": "http://www.blackhat.com/docs/asia-14/materials/Tsai/WP-Asia-14-Tsai-You-Cant-See-Me-A-Mac-OS-X-Rootkit-Uses-The-Tricks-You-Havent-Known-Yet.pdf"
},
{
"source_name": "Symantec Windows Rootkits",
"description": "Symantec. (n.d.). Windows Rootkit Overview. Retrieved December 21, 2017.",
"url": "https://www.symantec.com/avcenter/reference/windows.rootkit.overview.pdf"
},
{
"source_name": "Wikipedia Rootkit",
"description": "Wikipedia. (2016, June 1). Rootkit. Retrieved June 2, 2016.",
"url": "https://en.wikipedia.org/wiki/Rootkit"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
]
}
]
} |