Skip Navigation
Get a Demo
 
Share
 
 
 
 
 
 
 
 
Resources Blog MITRE ATT&CK

Nothing to hide: seeking out rootkits

Experts from Red Canary, VMware Carbon Black, and MITRE ATT&CK give advice about how to bring rootkits out from the shadows.

Susannah Clark Matt
Originally published . Last modified .

You never know what might be hiding in the depths of your network. As part of our ATT&CK Deep Dive webinar series, Red Canary’s Tony Lambert and Joren McReynolds joined Adam Pennington from MITRE and Jared Myers from VMware Carbon Black to demystify the threat of rootkits. You can watch the full recording here or check out the highlight clips below.

First things first, what is a rootkit?

According to MITRE:

Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.

Rootkits enable adversaries to thwart antivirus and remain under the radar. So let’s play….Legends of the Hidden Rootkit!

MITRE ATT&CK rootkit detection webinar

 

Why are rootkits useful to adversaries?

Adam explains how rootkits enjoy privileged access to persistently evade security controls and tools.

Which rootkits should I be concerned about?

Our panelists break down four varieties of rootkits, starting with hardware and firmware rootkits:

 

 

 

Jared walks us through bootkits and bootloaders, dating the Brain! bootkit (and himself) with a Bangles reference.

 

 

 

Kernel rootkits, such as the infamous Stuxnet, are the most common type. Jared passes the mic to Joren to get into how mitigation looks on Windows, Mac, and Linux systems.

 

 

 

Usermode rootkits, Tony’s personal favorite, are the only type that don’t require administrative privileges. Joren explains why that makes a difference.

 

What can I do now to keep ahead of rootkit threats?

A lot. Tony walks through recommended precautions and all four panelists take questions from the audience.

 

 

PRATICAL TAKEAWAYS

For hardware, firmware, and bootloader rootkits:

  • Enable Secure Boot
  • Monitor bootloader replacement, if possible
  • Enforce signed BIOS updates
  • Obtain hardware from trusted sources

For kernel and usermode rootkits:

  • Upgrade, upgrade, upgrade
  • Restrict administrator and root permissions
  • Enable driver signature enforcement
  • Disallow kernel extensions and modules for unauthorized software
  • Instrument your endpoints to hunt for suspicious or malicious behaviors
Related Articles
 

The dark side of Microsoft Remote Procedure Call protocols

 

Research ATT&CK techniques from the comfort of your VSCode editor

 

Remapping Red Canary with ATT&CK sub-techniques

 

Process Injection: a primer

Subscribe to our blog

 

See what it's like to have a security ally.

Experience the difference between a sense of security and actual security.
Get a Demo
 
 
 
 
Back to Top