Merge pull request #93 from JeremyNGalloway/master

added a Linux Defense Evasion entry for Rootkits
2018-02-27 13:21:49 -07:00 · 2018-02-27 13:21:49 -07:00 · ed1dd3cea0
parent d58a87f670 7ff3fb1ee1
commit ed1dd3cea0
2 changed files with 23 additions and 1 deletions
--- a/Linux/Defense_Evasion/Rootkits.md
+++ b/Linux/Defense_Evasion/Rootkits.md
@ -0,0 +1,21 @@
+## Rootkits
+
+MITRE ATT&CK Technique: [T1014](https://attack.mitre.org/wiki/Technique/T1014)
+
+### Loadable Kernel Module based Rootkit
+
+Input:
+
+    sudo insmod MODULE.ko
+
+OR
+
+Input:
+
+    sudo modprobe MODULE.ko
+
+### LD_PRELOAD based Rootkit
+
+Input:
+
+    export LD_PRELOAD=$PWD/libmy_r00tkit.so
--- a/Linux/README.md
+++ b/Linux/README.md
@ -13,7 +13,8 @@
 | Valid Accounts               |                               | Indicator Removal on Host     | Two-Factor Authentication Interception | System Network Connections Discovery   |                                 |                          | Input Capture                  | Scheduled Transfer                            | Multi-Stage Channels                    |
 | Web Shell                    |                               | Install Root Certificate      |                                        | System Owner/User Discovery            |                                 |                          | Screen Capture                 |                                               | Multiband Communication                 |
 |                              |                               | Masquerading                  |                                        |                                        |                                 |                          |                                |                                               | Multilayer Encryption                   |
-|                              |                               | Redundant Access              |                                        |                                        |                                 |                          |                                |                                               | Remote File Copy                        |
+|                              |                               | Redundant Access              |                        
+|                              |                               | [Rootkits](Defense_Evasion/Rootkits.md)              |                        |                                        |                                 |                          |                                |                                               | Remote File Copy                        |
 |                              |                               | Scripting                     |                                        |                                        |                                 |                          |                                |                                               | Standard Application Layer Protocol     |
 |                              |                               | Space after Filename          |                                        |                                        |                                 |                          |                                |                                               | Standard Cryptographic Protocol         |
 |                              |                               | Timestomp                     |                                        |                                        |                                 |                          |                                |                                               | Standard Non-Application Layer Protocol |