ATT&CK® Deep Dive: How To Detect Rootkits

01:54 Panelist Introduction

02:24 Webinar Agenda

03:20 Rootkit Definition

03:47 Why Rootkits?

04:00 “They’re persistent. They’re often living at levels that are really hard for our tools to detect them.” – Adam

04:59 Four Varieties of Rootkits

05:29 Hardware and Firmware Rootkits

06:52 “One of the reasons I put Mebromi in here is because it happens to be the first piece of software we ever put into ATT&CK. It’s S0001.” – Adam

10:52 Across OSes

11:15 “The firmware is going to be the same across operating systems.” – Adam

12:12 Bootkits/Bootloaders

12:19 “A bootkit will either overwrite the original bootcode or the VBR or patch a portion of it to execute a custom code.” – Jared

14:21 Across OSes 

15:10 Kernel Rootkits

15:13 “It’s a type of malware or tool that hides itself or other components from the OS as well as other capabilities like hiding network connections.” – Jared

17:00 “Skidmap had a rootkit component that was used to hide crypto mining processes and it also altered network stats and connections.” – Jared

19:25 Windows Mitigation

20:50 “There is a series of events that lead up to these rootkits being able to run.” – Jared

22:25 macOS Mitigation

23:39 “Apple is now exposing all of that information that would normally require a kernel extension through APIs that are accessible through userland.” – Joren

24:00 “Eventually it seems like everything will require notarization and therefore that hardened run time.” – Joren

27:07 “You can search an alert on any endpoint telemetry you’re collecting through an open-source tool or EDR product. They look for uses of ktextload, which actually loads a kernel extension or more of the rootkit style behaviors.” – Joren

28:42 Linux Mitigation

33:24 Usermode Rootkits

33:39 “This is one of the only types that doesn’t require administrative privileges.” – Joren

37:15 “A usermode rootkit might change what’s returned to another process. And typically it only requires admin or root versus additional levels of privileges.” – Joren

38:02 macOS Mitigations

38:58 “This basically prevents someone from replacing an expected shared object with a malicious one, and now your host application is doing things it shouldn’t.” – Joren

40:13 Linux Mitigations

40:22 “You don’t want root to equal kernel. You have some options available to you now with later versions of the Linux kernel.” – Joren

43:12 Practical Takeaways

43:35 “Don’t turn off the things that are included with operating system protections.” – Tony

45:33 “Turn on the protections you have. It’s a really hard space for detection so you need to do everything you can to not end up in this position in the first place.” – Adam

46:25 Questions & Answers

47:49 Question 1: Are we still good with the security UEFI or is it a mistake

47:55 “The UEFI standard has secure boot in it as part of the standard.” – Adam

49:15 Question 2: How effective are “rkhunter” on Linux? Do they affect more than usermode rootkits?

49:47 “They will look for artifacts known to be associated with rootkit families.” – Joren

50:55 Question 3: What are some strategies for dealing with out of band management implants?

51:39 “Make sure you’re actually running the updates that you have. It’s way outside of your visibility.” – Adam

52:59 Question 4: Have you seen any use of rootkits with ransomware variants?

53:30 “There is not a whole lot of need to have a rootkit with ransomware.” – Jared

56:08 Question 5: Due to the nature of legacy systems, are they still vulnerable to the four types of rootkits discussed here today?

56:30 “The one piece of good news is that commercial virtualization, especially newer products, do have some of the same protections built in that real hardware does.” – Adam

57:00 Question 6: Is there a dummy rootkit to use for PenTesting?

57:15 “I would be very careful because they are very prone to do weird things especially when you start messing with things at that level.” – Jared