September 16, 2020 Events & WebinarsMITRE ATT&CK
Tony Lambert Joren McReynolds Adam Pennington Jared Myers

ATT&CK® Deep Dive: How To Detect Rootkits

Immerse yourself in the world of rootkits—a potent and obscure variety of malware that’s as attractive to adversaries as it is elusive to defenders.

  • Get the rootkit definition, explore different types of rootkits, and see how they manifest on Linux, Windows, and macOS
  • Learn how to detect rootkits and identify activities for threat hunts and alert investigations
  • Get insights into how you can use the ATT&CK framework to shore up your vulnerabilities
  • Address your visibility requirements so you can configure preventative and detection controls

Rootkits exist at the lowest levels of an operating system, offering adversaries stealthy, persistent, and comprehensive control over an infected machine. Since this kind of malicious software often resides beneath the application layer of the operating system in a highly privileged piece of software called the kernel, it can be difficult to observe, let alone detect. 

In recent years, Microsoft and Apple have very intentionally built protections into Windows and macOS that make it increasingly difficult for anything to interact with the kernel. On the one hand, this makes it harder for adversaries to access these deeply privileged parts of the operating system, but, on the other hand, it also makes it difficult for defenders to gather important optics from there as well.

01:54 Panelist Introduction

02:24 Webinar Agenda

03:20 Rootkit Definition

03:47 Why Rootkits?

04:00 “They’re persistent. They’re often living at levels that are really hard for our tools to detect them.” – Adam

04:59 Four Varieties of Rootkits

05:29 Hardware and Firmware Rootkits

06:52 “One of the reasons I put Mebromi in here is because it happens to be the first piece of software we ever put into ATT&CK. It’s S0001.” – Adam

10:52 Across OSes

11:15 “The firmware is going to be the same across operating systems.” – Adam

12:12 Bootkits/Bootloaders

12:19 “A bootkit will either overwrite the original bootcode or the VBR or patch a portion of it to execute a custom code.” – Jared

14:21 Across OSes 

15:10 Kernel Rootkits

15:13 “It’s a type of malware or tool that hides itself or other components from the OS as well as other capabilities like hiding network connections.” – Jared

17:00 “Skidmap had a rootkit component that was used to hide crypto mining processes and it also altered network stats and connections.” – Jared

19:25 Windows Mitigation

20:50 “There is a series of events that lead up to these rootkits being able to run.” – Jared

22:25 macOS Mitigation

23:39 “Apple is now exposing all of that information that would normally require a kernel extension through APIs that are accessible through userland.” – Joren

24:00 “Eventually it seems like everything will require notarization and therefore that hardened run time.” – Joren

27:07 “You can search an alert on any endpoint telemetry you’re collecting through an open-source tool or EDR product. They look for uses of ktextload, which actually loads a kernel extension or more of the rootkit style behaviors.” – Joren

28:42 Linux Mitigation

33:24 Usermode Rootkits

33:39 “This is one of the only types that doesn’t require administrative privileges.” – Joren

37:15 “A usermode rootkit might change what’s returned to another process. And typically it only requires admin or root versus additional levels of privileges.” – Joren

38:02 macOS Mitigations

38:58 “This basically prevents someone from replacing an expected shared object with a malicious one, and now your host application is doing things it shouldn’t.” – Joren

40:13 Linux Mitigations

40:22 “You don’t want root to equal kernel. You have some options available to you now with later versions of the Linux kernel.” – Joren

43:12 Practical Takeaways

43:35 “Don’t turn off the things that are included with operating system protections.” – Tony

45:33 “Turn on the protections you have. It’s a really hard space for detection so you need to do everything you can to not end up in this position in the first place.” – Adam

46:25 Questions & Answers

47:49 Question 1: Are we still good with the security UEFI or is it a mistake

47:55 “The UEFI standard has secure boot in it as part of the standard.” – Adam

49:15 Question 2: How effective are “rkhunter” on Linux? Do they affect more than usermode rootkits?

49:47 “They will look for artifacts known to be associated with rootkit families.” – Joren

50:55 Question 3: What are some strategies for dealing with out of band management implants?

51:39 “Make sure you’re actually running the updates that you have. It’s way outside of your visibility.” – Adam

52:59 Question 4: Have you seen any use of rootkits with ransomware variants?

53:30 “There is not a whole lot of need to have a rootkit with ransomware.” – Jared

56:08 Question 5: Due to the nature of legacy systems, are they still vulnerable to the four types of rootkits discussed here today?

56:30 “The one piece of good news is that commercial virtualization, especially newer products, do have some of the same protections built in that real hardware does.” – Adam

57:00 Question 6: Is there a dummy rootkit to use for PenTesting?

57:15 “I would be very careful because they are very prone to do weird things especially when you start messing with things at that level.” – Jared

Cloud workload security: 7 reasons why it’s complicated
A new approach to Cloud Workload Protection
It’s time for better cloud workload security
Defense Evasion and Phishing Emails
Tony Lambert
Intelligence Analyst, Red Canary
Adam Pennington
Principal Cyber Security Engineer, MITRE ATT&CK
Jared Myers
Technical Lead of Threat Research, VMware Carbon Black
Joren McReynolds
Director of Product, Red Canary

Red Canary delivers 24/7 threat detection and open-source tools to organizations of all sizes. Our proprietary platform collects hundreds of terabytes of endpoint telemetry every day, surfacing evidence of threats that are analyzed by our team of security veterans on behalf of our customers. This behavioral approach gives us a broad and unique view into evolving adversary behaviors, tactics, and techniques—a view we’re proud to share with the security community.