From 08de1f2ead2685712e0bc22b9cd9824e9bbd7dd8 Mon Sep 17 00:00:00 2001 From: JeremyNGalloway Date: Tue, 27 Feb 2018 11:07:04 -0600 Subject: [PATCH 1/4] Initial upload --- Linux/Defense_Evasion/Rootkits.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 Linux/Defense_Evasion/Rootkits.md diff --git a/Linux/Defense_Evasion/Rootkits.md b/Linux/Defense_Evasion/Rootkits.md new file mode 100644 index 0000000..06becd2 --- /dev/null +++ b/Linux/Defense_Evasion/Rootkits.md @@ -0,0 +1,21 @@ +## Rootkits + +MITRE ATT&CK Technique: [T1014](https://attack.mitre.org/wiki/Technique/T1014) + +### Loadable Kernel Module based Rootkit + +Input: + + sudo insmod MODULE.ko + +OR + +Input: + + sudo modprobe MODULE.ko + +### LD_PRELOAD based Rootkit + +Input: + + export LD_PRELOAD=$PWD/libmy_r00tkit.so \ No newline at end of file From ee8b6427285cc6f98f6dfad998b8d0cf89709de0 Mon Sep 17 00:00:00 2001 From: JeremyNGalloway Date: Tue, 27 Feb 2018 11:13:15 -0600 Subject: [PATCH 2/4] updated README with links to Rootkits --- Linux/README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Linux/README.md b/Linux/README.md index 035317d..d2ae61c 100644 --- a/Linux/README.md +++ b/Linux/README.md @@ -13,7 +13,8 @@ | Web Shell | | Indicator Removal on Host | Two-Factor Authentication Interception | System Network Connections Discovery | | | Screen Capture | Scheduled Transfer | Multi-Stage Channels | | | | Install Root Certificate | | System Owner/User Discovery | | | | | Multiband Communication | | | | Masquerading | | | | | | | Multilayer Encryption | -| | | Redundant Access | | | | | | | Remote File Copy | +| | | Redundant Access | +| | | [Rootkits](/Defense_Evasion/Rootkits.md) | | | | | | | Remote File Copy | | | | Scripting | | | | | | | Standard Application Layer Protocol | | | | Space after Filename | | | | | | | Standard Cryptographic Protocol | | | | Timestomp | | | | | | | Standard Non-Application Layer Protocol | From 56ed971cddf8eeeb29922f8f60f75acaef54224f Mon Sep 17 00:00:00 2001 From: JeremyNGalloway Date: Tue, 27 Feb 2018 11:14:29 -0600 Subject: [PATCH 3/4] Update README.md --- Linux/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Linux/README.md b/Linux/README.md index d2ae61c..ab6d706 100644 --- a/Linux/README.md +++ b/Linux/README.md @@ -14,7 +14,7 @@ | | | Install Root Certificate | | System Owner/User Discovery | | | | | Multiband Communication | | | | Masquerading | | | | | | | Multilayer Encryption | | | | Redundant Access | -| | | [Rootkits](/Defense_Evasion/Rootkits.md) | | | | | | | Remote File Copy | +| | | [Rootkits](Linux/Defense_Evasion/Rootkits.md) | | | | | | | Remote File Copy | | | | Scripting | | | | | | | Standard Application Layer Protocol | | | | Space after Filename | | | | | | | Standard Cryptographic Protocol | | | | Timestomp | | | | | | | Standard Non-Application Layer Protocol | From 7ff3fb1ee18a17cb79970e4981bd3f424b4e3800 Mon Sep 17 00:00:00 2001 From: JeremyNGalloway Date: Tue, 27 Feb 2018 11:14:56 -0600 Subject: [PATCH 4/4] Update README.md --- Linux/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Linux/README.md b/Linux/README.md index ab6d706..3027297 100644 --- a/Linux/README.md +++ b/Linux/README.md @@ -14,7 +14,7 @@ | | | Install Root Certificate | | System Owner/User Discovery | | | | | Multiband Communication | | | | Masquerading | | | | | | | Multilayer Encryption | | | | Redundant Access | -| | | [Rootkits](Linux/Defense_Evasion/Rootkits.md) | | | | | | | Remote File Copy | +| | | [Rootkits](Defense_Evasion/Rootkits.md) | | | | | | | Remote File Copy | | | | Scripting | | | | | | | Standard Application Layer Protocol | | | | Space after Filename | | | | | | | Standard Cryptographic Protocol | | | | Timestomp | | | | | | | Standard Non-Application Layer Protocol |