# T1014 - Rootkit ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1014) <blockquote>Rootkits are programs that hide the existence of malware by intercepting (i.e., [Hooking](https://attack.mitre.org/techniques/T1179)) and modifying operating system API calls that supply system information. (Citation: Symantec Windows Rootkits) Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a [Hypervisor](https://attack.mitre.org/techniques/T1062), Master Boot Record, or the [System Firmware](https://attack.mitre.org/techniques/T1019). (Citation: Wikipedia Rootkit) Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits have been seen for Windows, Linux, and Mac OS X systems. (Citation: CrowdStrike Linux Rootkit) (Citation: BlackHat Mac OSX Rootkit)</blockquote> ## Atomic Tests - [Atomic Test #1 - Loadable Kernel Module based Rootkit](#atomic-test-1---loadable-kernel-module-based-rootkit) - [Atomic Test #2 - Loadable Kernel Module based Rootkit](#atomic-test-2---loadable-kernel-module-based-rootkit) - [Atomic Test #3 - Windows Signed Driver Rootkit Test](#atomic-test-3---windows-signed-driver-rootkit-test) <br/> ## Atomic Test #1 - Loadable Kernel Module based Rootkit Loadable Kernel Module based Rootkit **Supported Platforms:** Linux #### Inputs | Name | Description | Type | Default Value | |------|-------------|------|---------------| | rootkit_file | Path To Module | String | Module.ko| #### Run it with `sh`! ``` sudo insmod #{rootkit_file} ``` <br/> <br/> ## Atomic Test #2 - Loadable Kernel Module based Rootkit Loadable Kernel Module based Rootkit **Supported Platforms:** Linux #### Inputs | Name | Description | Type | Default Value | |------|-------------|------|---------------| | rootkit_file | Path To Module | String | Module.ko| #### Run it with `sh`! ``` sudo modprobe #{rootkit_file} ``` <br/> <br/> ## Atomic Test #3 - Windows Signed Driver Rootkit Test This test exploits a signed driver to execute code in Kernel. SHA1 C1D5CF8C43E7679B782630E93F5E6420CA1749A7 We leverage the work done here: https://zerosum0x0.blogspot.com/2017/07/puppet-strings-dirty-secret-for-free.html The hash of our PoC Exploit is SHA1 DD8DA630C00953B6D5182AA66AF999B1E117F441 This will simulate hiding a process. It would be wise if you only run this in a test environment **Supported Platforms:** Windows #### Inputs | Name | Description | Type | Default Value | |------|-------------|------|---------------| | driver_path | Path to the vulnerable driver | Path | C:\Drivers\driver.sys| #### Run it with `command_prompt`! ``` puppetstrings #{driver_path} ``` <br/>