T1014 - Rootkit - MITRE ATT&CK - Cyber Threat Intelligence

T1014 - Rootkit

Tattiche:
Defense Evasion

Piattaforme:
Linux macOS Windows

Rilevamento:
Not specified

Description:

Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. (Citation: Symantec Windows Rootkits)

Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor or [System Firmware](https://attack.mitre.org/techniques/T1542/001). (Citation: Wikipedia Rootkit) Rootkits have been seen for Windows, Linux, and Mac OS X systems. (Citation: CrowdStrike Linux Rootkit) (Citation: BlackHat Mac OSX Rootkit)

Rootkits that reside or modify boot sectors are known as [Bootkit](https://attack.mitre.org/techniques/T1542/003)s and specifically target the boot process of the operating system.

Usato da Attori (6)

APT28
Nation-state

Rocke
Unknown

APT41
Nation-state

TeamTNT
Unknown

UNC3886
Unknown

Winnti Group
Unknown

Malware (20)

Stuxnet other MEDUSA other COATHANGER other Umbreon other Hildegard other Hacking Team UEFI Rootkit other Skidmap other Line Dancer other REPTILE other Zeroaccess other Caterpillar WebShell other Uroburos other Winnti for Linux other Hikit other Drovorub other PoisonIvy other LoJax other Ramsay other Carberp other Ebury other

Metadata

MITRE ID:	T1014
STIX ID:	attack-pattern--0f20e3cb-245b-...
Piattaforme:	Linux, macOS, Windows
Created:	13/01/2026 17:48
Updated:	06/03/2026 16:00