ATT&CK® Deep Dive: How to Detect Rootkits

Immerse yourself in the world of rootkits—a potent and obscure variety of malware that’s as attractive to adversaries as it is elusive to defenders. Get the rootkit definition, explore different types of rootkits, and see how they manifest on Linux, Windows, and macOS Learn how to detect rootkits and identify activities for threat hunts and alert investigations Get insights into how you can use the ATT&CK framework to shore up your vulnerabilities Address your visibility requirements so you can configure preventative and detection controls Rootkits exist at the lowest levels of an operating system, offering adversaries stealthy, persistent, and comprehensive control over an infected machine. Since this kind of malicious software often resides beneath the application layer of the operating system in a highly privileged piece of software called the kernel, it can be difficult to observe, let alone detect. In recent years, Microsoft and Apple have very intentionally built protections into Windows and macOS that make it increasingly difficult for anything to interact with the kernel. On the one hand, this makes it harder for adversaries to access these deeply privileged parts of the operating system, but, on the other hand, it also makes it difficult for defenders to gather important optics from there as well.