September 22, 2020 Detection and response
Susannah Clark

Nothing to hide: seeking out rootkits

Experts from Red Canary, VMware Carbon Black, and MITRE ATT&CK give advice about how to bring rootkits out from the shadows.

You never know what might be hiding in the depths of your network. As part of our ATT&CK Deep Dive webinar series, Red Canary’s Tony Lambert and Joren McReynolds joined Adam Pennington from MITRE and Jared Myers from VMware Carbon Black to demystify the threat of rootkits. You can watch the full recording here or check out the highlight clips below.

First things first, what is a rootkit?

According to MITRE:

Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.

Rootkits enable adversaries to thwart antivirus and remain under the radar. So let’s play….Legends of the Hidden Rootkit!

MITRE ATT&CK rootkit detection webinar

 

Why are rootkits useful to adversaries?

Adam explains how rootkits enjoy privileged access to persistently evade security controls and tools.

Which rootkits should I be concerned about?

Our panelists break down four varieties of rootkits, starting with hardware and firmware rootkits:

 

 

 

Jared walks us through bootkits and bootloaders, dating the Brain! bootkit (and himself) with a Bangles reference.

 

 

 

Kernel rootkits, such as the infamous Stuxnet, are the most common type. Jared passes the mic to Joren to get into how mitigation looks on Windows, Mac, and Linux systems.

 

 

 

Usermode rootkits, Tony’s personal favorite, are the only type that don’t require administrative privileges. Joren explains why that makes a difference.

 

What can I do now to keep ahead of rootkit threats?

A lot. Tony walks through recommended precautions and all four panelists take questions from the audience.

 

 

For hardware, firmware, and bootloader rootkits:

  • Enable Secure Boot
  • Monitor bootloader replacement, if possible
  • Enforce signed BIOS updates
  • Obtain hardware from trusted sources

For kernel and usermode rootkits:

  • Upgrade, upgrade, upgrade
  • Restrict administrator and root permissions
  • Enable driver signature enforcement
  • Disallow kernel extensions and modules for unauthorized software
  • Instrument your endpoints to hunt for suspicious or malicious behaviors
 

Testing adversary technique variations with AtomicTestHarnesses

 

How to use Surveyor, a cybersecurity Swiss Army knife

 

Catching Taurus malware with behavioral analytics and Microsoft alerts

 

Detection validation: going atomic on false negatives

Subscribe to our blog