title: Rootkit (T1014)
id: df00tech-t1014
status: experimental
description: "Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits intercept and modify operating system API calls to conceal malware activity and can reside at user-space, kernel-space, or firmware levels. Real-world deployments include Drovorub (GRU-attributed Linux kernel rootkit using LKMs), Skidmap (cryptocurrency miner with kernel-mode hooking), TeamTNT's Diamorphine (open-source LKM), Ebury (SSH userland rootkit), Rocke (ld.so.preload hijacking), Umbreon (libc hooking), and Windows-based rootkits from Carberp and Stuxnet. Linux kernel rootkits typically leverage loadable kernel modules (LKMs) or shared library preloading via /etc/ld.so.preload. Windows kernel rootkits abuse driver loading mechanisms. Detection is most effective at installation and loading time — once active, rootkits actively conceal themselves from OS-level enumeration."
references:
  - https://attack.mitre.org/techniques/T1014/
  - https://df00tech.com/detections/T1014
author: df00tech
date: 2026/04/13
tags:
  - attack.t1014
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate third-party kernel drivers (VPN clients, hardware manufacturers, security software) installed from staging directories before being moved to C:\\Windows\\System32\\drivers\\"
  - "Linux infrastructure provisioning via configuration management tools (Ansible, Puppet, Chef) loading expected kernel modules such as nf_tables, overlay, or br_netfilter on new nodes"
  - "Containerization and virtualization software (Docker, VirtualBox, VMware) loading kernel modules (vboxdrv.ko, vmwgfx.ko, overlay.ko) during service startup outside package manager context"
  - Security hardening and compliance scanning tools that inspect or recreate /etc/ld.so.preload as part of CIS benchmark enforcement or file integrity verification workflows
  - "Custom in-house kernel modules loaded on specialized appliances, HPC systems, or network gear where non-standard module paths are expected by design"
level: critical