cti/enterprise-attack/attack-pattern/attack-pattern--0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b.json

{
    "type": "bundle",
    "id": "bundle--c1297b71-b7b0-4197-b0ab-d345e3b8d410",
    "spec_version": "2.0",
    "objects": [
        {
            "type": "attack-pattern",
            "id": "attack-pattern--0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b",
            "created": "2017-05-31T21:30:26.496Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "revoked": false,
            "external_references": [
                {
                    "source_name": "mitre-attack",
                    "url": "https://attack.mitre.org/techniques/T1014",
                    "external_id": "T1014"
                },
                {
                    "source_name": "CrowdStrike Linux Rootkit",
                    "description": "Kurtz, G. (2012, November 19). HTTP iframe Injecting Linux Rootkit. Retrieved December 21, 2017.",
                    "url": "https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/"
                },
                {
                    "source_name": "BlackHat Mac OSX Rootkit",
                    "description": "Pan, M., Tsai, S. (2014). You can\u2019t see me: A Mac OS X Rootkit uses the tricks you haven't known yet. Retrieved December 21, 2017.",
                    "url": "http://www.blackhat.com/docs/asia-14/materials/Tsai/WP-Asia-14-Tsai-You-Cant-See-Me-A-Mac-OS-X-Rootkit-Uses-The-Tricks-You-Havent-Known-Yet.pdf"
                },
                {
                    "source_name": "Symantec Windows Rootkits",
                    "description": "Symantec. (n.d.). Windows Rootkit Overview. Retrieved December 21, 2017.",
                    "url": "https://www.symantec.com/avcenter/reference/windows.rootkit.overview.pdf"
                },
                {
                    "source_name": "Wikipedia Rootkit",
                    "description": "Wikipedia. (2016, June 1). Rootkit. Retrieved June 2, 2016.",
                    "url": "https://en.wikipedia.org/wiki/Rootkit"
                }
            ],
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
            "modified": "2026-04-15T22:32:28.874Z",
            "name": "Rootkit",
            "description": "Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. (Citation: Symantec Windows Rootkits) \n\nRootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor or [System Firmware](https://attack.mitre.org/techniques/T1542/001). (Citation: Wikipedia Rootkit) Rootkits have been seen for Windows, Linux, and Mac OS X systems. (Citation: CrowdStrike Linux Rootkit) (Citation: BlackHat Mac OSX Rootkit)\n\nRootkits that reside or modify boot sectors are known as [Bootkit](https://attack.mitre.org/techniques/T1542/003)s and specifically target the boot process of the operating system.",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "mitre-attack",
                    "phase_name": "stealth"
                }
            ],
            "x_mitre_attack_spec_version": "3.3.0",
            "x_mitre_contributors": [
                "Menachem Goldstein"
            ],
            "x_mitre_deprecated": false,
            "x_mitre_domains": [
                "enterprise-attack"
            ],
            "x_mitre_is_subtechnique": false,
            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "x_mitre_platforms": [
                "Linux",
                "macOS",
                "Windows"
            ],
            "x_mitre_version": "2.0"
        }
    ]
}