T1014 IBM QRadar · QRadar

Detect Rootkit in IBM QRadar

Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits intercept and modify operating system API calls to conceal malware activity and can reside at user-space, kernel-space, or firmware levels. Real-world deployments include Drovorub (GRU-attributed Linux kernel rootkit using LKMs), Skidmap (cryptocurrency miner with kernel-mode hooking), TeamTNT's Diamorphine (open-source LKM), Ebury (SSH userland rootkit), Rocke (ld.so.preload hijacking), Umbreon (libc hooking), and Windows-based rootkits from Carberp and Stuxnet. Linux kernel rootkits typically leverage loadable kernel modules (LKMs) or shared library preloading via /etc/ld.so.preload. Windows kernel rootkits abuse driver loading mechanisms. Detection is most effective at installation and loading time — once active, rootkits actively conceal themselves from OS-level enumeration.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1014 Rootkit
Canonical reference
https://attack.mitre.org/techniques/T1014/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  LOGSOURCETYPENAME(devicetype) AS log_source_type,
  QIDNAME(qid) AS event_name,
  CATEGORYNAME(category) AS event_category,
  "ServiceName",
  "ServiceType",
  "ImagePath",
  "ImageLoaded",
  "syscall",
  "name" AS audit_file_path,
  "nametype",
  "comm" AS parent_process_name,
  "auid",
  CASE
    WHEN eventid = 7045
      AND (LOWER("ServiceType") LIKE '%kernel%'
           OR "ServiceType" = '1'
           OR "ServiceType" = '0x1')
      AND (
        "ImagePath" ILIKE '%\temp\%'
        OR "ImagePath" ILIKE '%\appdata\%'
        OR "ImagePath" ILIKE '%\downloads\%'
        OR "ImagePath" ILIKE '%\programdata\%'
        OR "ImagePath" ILIKE '%\users\public\%'
      )
      THEN 'WindowsKernelDriverInstall'
    WHEN QIDNAME(qid) ILIKE '%Driver Loaded%'
      AND NOT (
        "ImageLoaded" ILIKE 'C:\Windows\System32\%'
        OR "ImageLoaded" ILIKE 'C:\Windows\SysWOW64\%'
        OR "ImageLoaded" ILIKE 'C:\Windows\WinSxS\%'
        OR "ImageLoaded" ILIKE 'C:\Program Files\%'
        OR "ImageLoaded" ILIKE 'C:\Program Files (x86)\%'
        OR "ImageLoaded" ILIKE 'C:\Windows\servicing\%'
      )
      THEN 'SuspiciousDriverLoad'
    WHEN "type" = 'SYSCALL'
      AND "syscall" IN ('init_module', 'finit_module')
      AND NOT (
        "comm" ILIKE 'apt%' OR "comm" ILIKE 'dpkg%'
        OR "comm" = 'rpm' OR "comm" = 'yum' OR "comm" = 'dnf'
        OR "comm" = 'kmod' OR "comm" = 'dracut'
        OR "comm" = 'systemd' OR "comm" = 'pacman'
        OR "comm" = 'zypper' OR "comm" = 'snap'
      )
      THEN 'LinuxKernelModuleLoad'
    WHEN "type" = 'SYSCALL' AND "syscall" = 'delete_module'
      THEN 'LinuxKernelModuleUnload'
    WHEN "type" = 'PATH'
      AND "name" = '/etc/ld.so.preload'
      AND "nametype" IN ('CREATE', 'NORMAL')
      THEN 'LdPreloadModification'
    ELSE 'Unknown'
  END AS detection_type
FROM events
WHERE
  LAST 24 HOURS
  AND (
    /* Signal 1: Windows kernel driver service install from suspicious path (System Event 7045) */
    (
      eventid = 7045
      AND (
        LOWER("ServiceType") LIKE '%kernel%'
        OR "ServiceType" = '1'
        OR "ServiceType" = '0x1'
      )
      AND (
        "ImagePath" ILIKE '%\temp\%'
        OR "ImagePath" ILIKE '%\appdata\%'
        OR "ImagePath" ILIKE '%\downloads\%'
        OR "ImagePath" ILIKE '%\programdata\%'
        OR "ImagePath" ILIKE '%\users\public\%'
      )
    )
    OR
    /* Signal 2: Driver (.sys) loaded from non-standard path (Sysmon EventCode 6 via QRadar DSM) */
    (
      QIDNAME(qid) ILIKE '%Driver Loaded%'
      AND NOT (
        "ImageLoaded" ILIKE 'C:\Windows\System32\%'
        OR "ImageLoaded" ILIKE 'C:\Windows\SysWOW64\%'
        OR "ImageLoaded" ILIKE 'C:\Windows\WinSxS\%'
        OR "ImageLoaded" ILIKE 'C:\Program Files\%'
        OR "ImageLoaded" ILIKE 'C:\Program Files (x86)\%'
        OR "ImageLoaded" ILIKE 'C:\Windows\servicing\%'
      )
    )
    OR
    /* Signal 3: Linux auditd kernel module load syscalls outside package manager */
    (
      "type" = 'SYSCALL'
      AND "syscall" IN ('init_module', 'finit_module', 'delete_module')
      AND NOT (
        "comm" ILIKE 'apt%' OR "comm" ILIKE 'dpkg%'
        OR "comm" = 'rpm' OR "comm" = 'yum' OR "comm" = 'dnf'
        OR "comm" = 'kmod' OR "comm" = 'dracut'
        OR "comm" = 'systemd' OR "comm" = 'pacman'
        OR "comm" = 'zypper' OR "comm" = 'snap'
      )
    )
    OR
    /* Signal 4: auditd PATH write to /etc/ld.so.preload (userland rootkit hook point) */
    (
      "type" = 'PATH'
      AND "name" = '/etc/ld.so.preload'
      AND "nametype" IN ('CREATE', 'NORMAL')
    )
  )
ORDER BY starttime DESC
critical severity medium confidence

IBM QRadar AQL query detecting four T1014 Rootkit signals: kernel driver service installation from suspicious paths via Windows System Event 7045, non-standard driver loads mapped from Sysmon EventCode 6 via QRadar DSM QIDNAME lookup, Linux auditd SYSCALL records for init_module/finit_module/delete_module outside recognized package manager comm names, and auditd PATH records showing creation or write to /etc/ld.so.preload.

Data Sources

Windows System Event Log via QRadar WinCollect agent or Universal DSMSysmon XML events via QRadar DSM for Microsoft Windows Security Event LogLinux auditd via QRadar Linux OS DSM (SYSCALL and PATH record types)IBM QRadar Universal DSM for custom log sources

Required Tables

events

False Positives & Tuning

  • Software installers that unpack .sys driver files to %TEMP% before registering via sc.exe — Event 7045 fires while the ImagePath still points to the temp staging location before the MSI/NSIS installer relocates it
  • Security operations tooling such as volatility, rekall, or commercial forensic suites running modprobe or insmod during live memory acquisition or malware triage on production Linux systems, where comm does not match any package manager
  • QRadar's own custom property extraction may fail to parse ServiceType or ImagePath fields from non-English Windows locale deployments, causing false positives when the CASE expression falls through to an incorrect detection_type due to null field values
Download portable Sigma rule (.yml)

Other platforms for T1014

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Linux: Load a Benign Kernel Module from Non-Standard Path

    Expected signal: auditd SYSCALL record with syscall=init_module, exe=/sbin/insmod, auid=<current_user>. DeviceProcessEvents (MDE for Linux): FileName=insmod, ProcessCommandLine containing '/tmp/testmodule/test_rootkit_sim.ko', InitiatingProcessFileName=bash/sh. dmesg shows 'argus_test: rootkit simulation module loaded'. lsmod shows 'test_rootkit_sim' in module list.

  2. Test 2Linux: Userland Rootkit Hook via ld.so.preload Injection

    Expected signal: auditd PATH record: type=PATH name=/etc/ld.so.preload nametype=NORMAL with associated SYSCALL record showing write/openat syscall, exe=/usr/bin/tee. DeviceFileEvents (MDE for Linux): FolderPath=/etc, FileName=ld.so.preload, ActionType=FileModified or FileCreated. File integrity monitoring (if deployed) triggers on /etc/ld.so.preload change.

  3. Test 3Windows: Install a Kernel Driver Service from Suspicious Path

    Expected signal: Security Event ID 4697 in Security Log: ServiceName=ArgusTestRootkit, ServiceFileName=C:\Users\Public\argus_test_driver.sys, ServiceType=0x00000001 (Kernel Driver), AccountName=<current_admin_user>. Sysmon Event ID 6 (Driver Loaded): ImageLoaded=C:\Users\Public\argus_test_driver.sys, Signed=true (null.sys is signed). System Event Log 7045: same service details. The file is legitimately signed but the path is suspicious.

  4. Test 4Linux: Enumerate Running Processes to Detect Rootkit-Induced Discrepancies

    Expected signal: On a clean system: proc_pids.txt and ps_pids.txt should differ only by kernel threads and very short-lived processes, and the final comm output should be empty or show only expected kernel thread PIDs. Module comparison should show no discrepancies on a clean system. During active rootkit incident: hidden PIDs and module names would appear in the discrepancy output. This test generates no detection alerts on a clean system — it is a verification tool for the investigation phase.

Last updated: 2026-04-13 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1014 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1542.003BootkitT1542.001System FirmwareT1055Process InjectionT1205.002Socket FiltersT1027Obfuscated Files or InformationT1556.003Pluggable Authentication ModulesT1070Indicator RemovalT1562.001Disable or Modify ToolsT1083File and Directory DiscoveryT1496Resource Hijacking

Same Tactic: Defense Evasion

Popular Detections