WATCH ON-DEMAND
Immerse yourself in the world of rootkits—a potent and obscure variety of malware that’s as attractive to adversaries as it is elusive to defenders.
- Get the rootkit definition, explore different types of rootkits, and see how they manifest on Linux, Windows, and macOS
- Learn how to detect rootkits and identify activities for threat hunts and alert investigations
- Get insights into how you can use the ATT&CK framework to shore up your vulnerabilities
- Address your visibility requirements so you can configure preventative and detection controls
Rootkits exist at the lowest levels of an operating system, offering adversaries stealthy, persistent, and comprehensive control over an infected machine. Since this kind of malicious software often resides beneath the application layer of the operating system in a highly privileged piece of software called the kernel, it can be difficult to observe, let alone detect.
In recent years, Microsoft and Apple have very intentionally built protections into Windows and macOS that make it increasingly difficult for anything to interact with the kernel. On the one hand, this makes it harder for adversaries to access these deeply privileged parts of the operating system, but, on the other hand, it also makes it difficult for defenders to gather important optics from there as well.
01:54 Panelist Introduction
02:24 Webinar Agenda
03:20 Rootkit Definition
03:47 Why Rootkits?
04:00 “They’re persistent. They’re often living at levels that are really hard for our tools to detect them.” – Adam
04:59 Four Varieties of Rootkits
05:29 Hardware and Firmware Rootkits
06:52 “One of the reasons I put Mebromi in here is because it happens to be the first piece of software we ever put into ATT&CK. It’s S0001.” – Adam
10:52 Across OSes
11:15 “The firmware is going to be the same across operating systems.” – Adam
12:12 Bootkits/Bootloaders
12:19 “A bootkit will either overwrite the original bootcode or the VBR or patch a portion of it to execute a custom code.” – Jared
14:21 Across OSes
15:10 Kernel Rootkits
15:13 “It’s a type of malware or tool that hides itself or other components from the OS as well as other capabilities like hiding network connections.” – Jared
17:00 “Skidmap had a rootkit component that was used to hide crypto mining processes and it also altered network stats and connections.” – Jared
19:25 Windows Mitigation
20:50 “There is a series of events that lead up to these rootkits being able to run.” – Jared
22:25 macOS Mitigation
23:39 “Apple is now exposing all of that information that would normally require a kernel extension through APIs that are accessible through userland.” – Joren
24:00 “Eventually it seems like everything will require notarization and therefore that hardened run time.” – Joren
27:07 “You can search an alert on any endpoint telemetry you’re collecting through an open-source tool or EDR product. They look for uses of ktextload, which actually loads a kernel extension or more of the rootkit style behaviors.” – Joren
28:42 Linux Mitigation
33:24 Usermode Rootkits
33:39 “This is one of the only types that doesn’t require administrative privileges.” – Joren
37:15 “A usermode rootkit might change what’s returned to another process. And typically it only requires admin or root versus additional levels of privileges.” – Joren
38:02 macOS Mitigations
38:58 “This basically prevents someone from replacing an expected shared object with a malicious one, and now your host application is doing things it shouldn’t.” – Joren
40:13 Linux Mitigations
40:22 “You don’t want root to equal kernel. You have some options available to you now with later versions of the Linux kernel.” – Joren
43:12 Practical Takeaways
43:35 “Don’t turn off the things that are included with operating system protections.” – Tony
45:33 “Turn on the protections you have. It’s a really hard space for detection so you need to do everything you can to not end up in this position in the first place.” – Adam
46:25 Questions & Answers
47:49 Question 1: Are we still good with the security UEFI or is it a mistake
47:55 “The UEFI standard has secure boot in it as part of the standard.” – Adam
49:15 Question 2: How effective are “rkhunter” on Linux? Do they affect more than usermode rootkits?
49:47 “They will look for artifacts known to be associated with rootkit families.” – Joren
50:55 Question 3: What are some strategies for dealing with out of band management implants?
51:39 “Make sure you’re actually running the updates that you have. It’s way outside of your visibility.” – Adam
52:59 Question 4: Have you seen any use of rootkits with ransomware variants?
53:30 “There is not a whole lot of need to have a rootkit with ransomware.” – Jared
56:08 Question 5: Due to the nature of legacy systems, are they still vulnerable to the four types of rootkits discussed here today?
56:30 “The one piece of good news is that commercial virtualization, especially newer products, do have some of the same protections built in that real hardware does.” – Adam
57:00 Question 6: Is there a dummy rootkit to use for PenTesting?
57:15 “I would be very careful because they are very prone to do weird things especially when you start messing with things at that level.” – Jared
Related Resources
Panelists
Tony Lambert
Intelligence Analyst, Red Canary
Adam Pennington
Principal Cyber Security Engineer, MITRE ATT&CK
Jared Myers
Technical Lead of Threat Research, VMware Carbon Black
Joren McReynolds
Director of Product, Red Canary
Why does Red Canary have a unique perspective on threats?
Red Canary delivers 24/7 threat detection and open-source tools to organizations of all sizes. Our proprietary platform collects hundreds of terabytes of endpoint telemetry every day, surfacing evidence of threats that are analyzed by our team of security veterans on behalf of our customers. This behavioral approach gives us a broad and unique view into evolving adversary behaviors, tactics, and techniques—a view we’re proud to share with the security community.