Clankerusecase
MITRE ATT&CK detection coverage
 ← Back to main site
Home/ MITRE Matrix/ Defense Evasion/ T1014

T1014Rootkit

T1014 — Rootkit is a MITRE ATT&CK technique in the Defense Evasion tactic. Clankerusecase tracks 12 detection use cases covering it and 6 threat-intel articles citing it.

Defense Evasion
View on the matrix → Filter Detection Library MITRE official spec ↗
12Use cases
6Articles
0Sub-techniques
1Tactic

Use cases covering this technique (12)

Linux Auditd Kernel Module Enumeration ESCU actions · hunting P Linux Kernel Module Enumeration ESCU actions · hunting P Linux Medusa Rootkit ESCU actions · alerting P Windows Driver Load Non-Standard Path ESCU actions · alerting P Windows Drivers Loaded by Signature ESCU actions · hunting P [LLM] eBPF program load or pinned object created from non-system parent on Arch host Bespoke install · hunting DSΣPDDCS [LLM] Atomic Arch: eBPF rootkit pinned maps hidden_pids/hidden_names/hidden_inodes in /sys/fs/bpf/ Bespoke install · alerting DSΣPDDCS [LLM] Atomic Arch rootkit — eBPF program load by AUR-build-chain descendant Bespoke install · hunting DSPDD [LLM] perfctl rootkit — /etc/ld.so.preload write or LD_PRELOAD on root daemon Bespoke install · alerting DSΣPDDCS [LLM] fast16 Sabotage Framework Hash IOC Sweep (svcmgmt.exe / fast16.sys / svcmgmt.dll) Bespoke install · alerting DSΣP [LLM] fast16 Carrier Runtime Artefacts (SvcMgmt service / pipe p577 / \Device\fast16) Bespoke install · hunting DSP [LLM] BYOVD: Genshin Impact mhyprot.sys driver dropped/loaded outside legitimate game install (Embargo evil-mhyprot-cli) Bespoke install · alerting DSΣP

Articles citing this technique (6)

crit 400+ AUR Packages Hijacked: What the “Atomic Arch” Campaign Means for Supply-Chain Security art-14
high Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit art-17
high Over 400 Arch Linux packages compromised to push rootkit, infostealer art-25
crit What’s in the container? Analyzing vulnerabilities, risks and protection with Kaspersky Container Security and the KIRA AI assistant art-180
crit fast16 | Mystery Shadow Brokers Reference Reveals High-Precision Software Sabotage 5 Years Before Stuxnet art-360
crit EDR killers explained: Beyond the drivers art-455