Merge pull request #93 from JeremyNGalloway/master
added a Linux Defense Evasion entry for Rootkits
This commit is contained in:
caseysmithrc
@@ -0,0 +1,21 @@
|
||||
## Rootkits
|
||||
|
||||
MITRE ATT&CK Technique: [T1014](https://attack.mitre.org/wiki/Technique/T1014)
|
||||
|
||||
### Loadable Kernel Module based Rootkit
|
||||
|
||||
Input:
|
||||
|
||||
sudo insmod MODULE.ko
|
||||
|
||||
OR
|
||||
|
||||
Input:
|
||||
|
||||
sudo modprobe MODULE.ko
|
||||
|
||||
### LD_PRELOAD based Rootkit
|
||||
|
||||
Input:
|
||||
|
||||
export LD_PRELOAD=$PWD/libmy_r00tkit.so
|
||||
+2
-1
@@ -13,7 +13,8 @@
|
||||
| Valid Accounts | | Indicator Removal on Host | Two-Factor Authentication Interception | System Network Connections Discovery | | | Input Capture | Scheduled Transfer | Multi-Stage Channels |
|
||||
| Web Shell | | Install Root Certificate | | System Owner/User Discovery | | | Screen Capture | | Multiband Communication |
|
||||
| | | Masquerading | | | | | | | Multilayer Encryption |
|
||||
| | | Redundant Access | | | | | | | Remote File Copy |
|
||||
| | | Redundant Access |
|
||||
| | | [Rootkits](Defense_Evasion/Rootkits.md) | | | | | | | Remote File Copy |
|
||||
| | | Scripting | | | | | | | Standard Application Layer Protocol |
|
||||
| | | Space after Filename | | | | | | | Standard Cryptographic Protocol |
|
||||
| | | Timestomp | | | | | | | Standard Non-Application Layer Protocol |
|
||||
|
||||
Reference in New Issue
Block a user