Skip to content

Latest commit

 

History

History
158 lines (99 loc) · 4.76 KB

T1014.md

File metadata and controls

158 lines (99 loc) · 4.76 KB

T1014 - Rootkit

Description from ATT&CK

Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. (Citation: Symantec Windows Rootkits)

Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor, Master Boot Record, or System Firmware. (Citation: Wikipedia Rootkit) Rootkits have been seen for Windows, Linux, and Mac OS X systems. (Citation: CrowdStrike Linux Rootkit) (Citation: BlackHat Mac OSX Rootkit)

Atomic Tests


Atomic Test #1 - Loadable Kernel Module based Rootkit

Loadable Kernel Module based Rootkit

Supported Platforms: Linux

Inputs:

Name Description Type Default Value
rootkit_source_path Path to the rootkit source. Used when prerequistes are fetched. path PathToAtomicsFolder/T1014/src/Linux
rootkit_path Path To rootkit String PathToAtomicsFolder/T1014/bin/T1014.ko
rootkit_name Module name String T1014
temp_folder Temp folder used to compile the code. Used when prerequistes are fetched. path /tmp/T1014

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

sudo insmod #{rootkit_path}

Cleanup Commands:

sudo rmmod #{rootkit_name}

Dependencies: Run with bash!

Description: The kernel module must exist on disk at specified location (#{rootkit_path})
Check Prereq Commands:
if [ -f #{rootkit_path} ]; then exit 0; else exit 1; fi;
Get Prereq Commands:
if [ ! -d #{temp_folder} ]; then mkdir #{temp_folder}; touch #{temp_folder}/safe_to_delete; fi;
cp #{rootkit_source_path}/* #{temp_folder}/
cd #{temp_folder}; make
mv #{temp_folder}/#{rootkit_name}.ko #{rootkit_path}
[ -f #{temp_folder}/safe_to_delete ] && rm -rf #{temp_folder}


Atomic Test #2 - Loadable Kernel Module based Rootkit

Loadable Kernel Module based Rootkit

Supported Platforms: Linux

Inputs:

Name Description Type Default Value
rootkit_source_path Path to the rootkit source. Used when prerequistes are fetched. path PathToAtomicsFolder/T1014/src/Linux
rootkit_path Path To rootkit String PathToAtomicsFolder/T1014/bin/T1014.ko
rootkit_name Module name String T1014
temp_folder Temp folder used to compile the code. Used when prerequistes are fetched. path /tmp/T1014

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

sudo modprobe #{rootkit_name}

Cleanup Commands:

sudo modprobe -r #{rootkit_name}
sudo rm /lib/modules/$(uname -r)/#{rootkit_name}.ko
sudo depmod -a

Dependencies: Run with bash!

Description: The kernel module must exist on disk at specified location (#{rootkit_path})
Check Prereq Commands:
if [ -f /lib/modules/$(uname -r)/#{rootkit_name}.ko ]; then exit 0; else exit 1; fi;
Get Prereq Commands:
if [ ! -d #{temp_folder} ]; then mkdir #{temp_folder}; touch #{temp_folder}/safe_to_delete; fi;
cp #{rootkit_source_path}/* #{temp_folder}/
cd #{temp_folder}; make        
sudo cp #{temp_folder}/#{rootkit_name}.ko /lib/modules/$(uname -r)/
[ -f #{temp_folder}/safe_to_delete ] && rm -rf #{temp_folder}
sudo depmod -a


Atomic Test #3 - Windows Signed Driver Rootkit Test

This test exploits a signed driver to execute code in Kernel. SHA1 C1D5CF8C43E7679B782630E93F5E6420CA1749A7 We leverage the work done here: https://zerosum0x0.blogspot.com/2017/07/puppet-strings-dirty-secret-for-free.html The hash of our PoC Exploit is SHA1 DD8DA630C00953B6D5182AA66AF999B1E117F441 This will simulate hiding a process. It would be wise if you only run this in a test environment

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
driver_path Path to the vulnerable driver Path C:\Drivers\driver.sys

Attack Commands: Run with command_prompt!

puppetstrings #{driver_path}