Persistence · Term

What is a rootkit?

A rootkit is malware designed to hide itself and the attacker’s activity, often deep in the operating system, so the intrusion stays invisible. Here is what a rootkit is and why it is so hard to find.

Persistence · TermAll services
TL;DR

A rootkit is malware whose purpose is to hide the attacker’s presence, files, processes, network connections, and other malware, by tampering with the operating system’s own view of itself. It can live in user space (hooking libraries, for example via LD_PRELOAD) or in kernel space (a malicious driver or kernel module that intercepts system calls), with the deepest in firmware or a bootkit. Because it subverts the tools you would use to detect it, a kernel rootkit often requires offline or out-of-band detection. It maps to MITRE T1014.

By John Dill, Red Team Lead, SecureLayer7Updated

What a rootkit is

A rootkit is not about getting access, it is about staying hidden once an attacker has it. It modifies how the system reports reality so that the attacker’s files, processes, ports, and other tools do not show up in normal listings.

Rootkits live at different depths: user-mode (hooking shared libraries, for example with LD_PRELOAD on Linux), kernel-mode (a driver/module intercepting syscalls), and firmware/boot (a bootkit that loads before the OS). The deeper it sits, the more it controls and the harder it is to detect.

How rootkits work

A rootkit intercepts the calls used to enumerate the system and filters out the attacker’s artifacts:

  • User-mode: a malicious library loaded via /etc/ld.so.preload or LD_PRELOAD hooks functions like readdir so the attacker’s files and processes are omitted.
  • Kernel-mode: a loadable kernel module (or Windows driver) hooks syscalls/ps/netstat paths to hide PIDs, files, and connections, and to give the attacker covert control.
  • Bootkit/firmware: loads before the OS, surviving reinstalls.

Installing one needs root/SYSTEM. Documented for defensive context.

How to defend

  • Prevent the root/SYSTEM compromise a rootkit needs to install, this is the real defense.
  • Use Secure Boot, signed drivers/modules, and kernel integrity protections so unsigned kernel code cannot load.
  • Detect out-of-band: memory forensics, offline disk analysis, and comparing system state from outside the running OS.
  • File integrity monitoring and baselining to spot tampering.
  • Rebuild from known-good media when a kernel/firmware rootkit is suspected, cleaning in place is unreliable.

References

  1. [1]MITRE ATT&CK: Rootkit (T1014)(MITRE)
  2. [2]NIST SP 800-83 Malware Incident Prevention and Handling(NIST)
  3. [3]MITRE ATT&CK: Persistence (TA0003)(MITRE)
Related terms

Common questions

Persistence, asked often

Want your environment checked for attacker persistence?

Scope an engagement

Find the backdoors an attacker would leave behind.

Our red-team and internal penetration tests show where an intruder could hide to survive a reboot or a password reset, registry keys, scheduled tasks, services, web shells, and rogue accounts, then hand your team the evidence and the fix. Free re-test included.

See all services30-min scoping call, fixed-price proposal in 48 hours.