Skip to content

Latest commit

 

History

History
172 lines (111 loc) · 5.53 KB

T1014.md

File metadata and controls

172 lines (111 loc) · 5.53 KB

T1014 - Rootkit

Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. (Citation: Symantec Windows Rootkits)

Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor, Master Boot Record, or System Firmware. (Citation: Wikipedia Rootkit) Rootkits have been seen for Windows, Linux, and Mac OS X systems. (Citation: CrowdStrike Linux Rootkit) (Citation: BlackHat Mac OSX Rootkit)

Atomic Tests


Atomic Test #1 - Loadable Kernel Module based Rootkit

Loadable Kernel Module based Rootkit

Supported Platforms: Linux

Inputs:

Name Description Type Default Value
rootkit_source_path Path to the rootkit source. Used when prerequistes are fetched. path PathToAtomicsFolder/T1014/src/Linux
rootkit_path Path To rootkit String PathToAtomicsFolder/T1014/bin/T1014.ko
rootkit_name Module name String T1014
temp_folder Temp folder used to compile the code. Used when prerequistes are fetched. path /tmp/T1014

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

sudo insmod #{rootkit_path}

Cleanup Commands:

sudo rmmod #{rootkit_name}

Dependencies: Run with bash!

Description: The kernel module must exist on disk at specified location (#{rootkit_path})
Check Prereq Commands:
if [ -f #{rootkit_path} ]; then exit 0; else exit 1; fi; 
Get Prereq Commands:
if [ ! -d #{temp_folder} ]; then mkdir #{temp_folder}; touch #{temp_folder}/safe_to_delete; fi;
cp #{rootkit_source_path}/* #{temp_folder}/
cd #{temp_folder}; make
mv #{temp_folder}/#{rootkit_name}.ko #{rootkit_path}
[ -f #{temp_folder}/safe_to_delete ] && rm -rf #{temp_folder}


Atomic Test #2 - Loadable Kernel Module based Rootkit

Loadable Kernel Module based Rootkit

Supported Platforms: Linux

Inputs:

Name Description Type Default Value
rootkit_source_path Path to the rootkit source. Used when prerequistes are fetched. path PathToAtomicsFolder/T1014/src/Linux
rootkit_path Path To rootkit String PathToAtomicsFolder/T1014/bin/T1014.ko
rootkit_name Module name String T1014
temp_folder Temp folder used to compile the code. Used when prerequistes are fetched. path /tmp/T1014

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

sudo modprobe #{rootkit_name}

Cleanup Commands:

sudo modprobe -r #{rootkit_name}
sudo rm /lib/modules/$(uname -r)/#{rootkit_name}.ko
sudo depmod -a

Dependencies: Run with bash!

Description: The kernel module must exist on disk at specified location (#{rootkit_path})
Check Prereq Commands:
if [ -f /lib/modules/$(uname -r)/#{rootkit_name}.ko ]; then exit 0; else exit 1; fi; 
Get Prereq Commands:
if [ ! -d #{temp_folder} ]; then mkdir #{temp_folder}; touch #{temp_folder}/safe_to_delete; fi;
cp #{rootkit_source_path}/* #{temp_folder}/
cd #{temp_folder}; make        
sudo cp #{temp_folder}/#{rootkit_name}.ko /lib/modules/$(uname -r)/
[ -f #{temp_folder}/safe_to_delete ] && rm -rf #{temp_folder}
sudo depmod -a


Atomic Test #3 - Windows Signed Driver Rootkit Test

This test exploits a signed driver to execute code in Kernel. This example was curated from a blog that utilizes puppetstrings.exe with the vulnerable (signed driver) capcom.sys. The capcom.sys driver may be found on github. A great reference is here: http://www.fuzzysecurity.com/tutorials/28.html SHA1 C1D5CF8C43E7679B782630E93F5E6420CA1749A7 We leverage the work done here: https://zerosum0x0.blogspot.com/2017/07/puppet-strings-dirty-secret-for-free.html The hash of our PoC Exploit is SHA1 DD8DA630C00953B6D5182AA66AF999B1E117F441 This will simulate hiding a process.

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
driver_path Path to a vulnerable driver Path C:\Drivers\driver.sys
puppetstrings_path Path of puppetstrings.exe Path PathToAtomicsFolder\T1014\bin\puppetstrings.exe

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

#{puppetstrings_path} #{driver_path}

Dependencies: Run with powershell!

Description: puppetstrings.exe must exist on disk at specified location (#{puppetstrings_path})
Check Prereq Commands:
if (Test-Path #{puppetstrings_path}) {exit 0} else {exit 1} 
Get Prereq Commands:
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1014/bin/puppetstrings.exe" -OutFile "#{puppetstrings_path}"