T1014: T1014

Search IOCs, vulnerabilities, APT…

216.73.217.22

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 16/12/2025 19:37 · Modified 27/03/2026 01:10

Essential information

MITRE technique ID: T1014
Confidence: 100/100
Revoked: No
Published: 16/12/2025 19:37
Modified: 27/03/2026 01:10
Author / Source: The MITRE Corporation

Aliases

Rootkit

Platforms

windows macos linux

Description

Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. (Citation: Symantec Windows Rootkits) Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor or [System Firmware](https://attack.mitre.org/techniques/T1542/001). (Citation: Wikipedia Rootkit) Rootkits have been seen for Windows, Linux, and Mac OS X systems. (Citation: CrowdStrike Linux Rootkit) (Citation: BlackHat Mac OSX Rootkit) Rootkits that reside or modify boot sectors are known as [Bootkit](https://attack.mitre.org/techniques/T1542/003)s and specifically target the boot process of the operating system.

Kill chain phases

Kill chain	Phase
mitre-attack	defense-evasion

Marking (TLP)

External references

CrowdStrike Linux Rootkit
BlackHat Mac OSX Rootkit
Symantec Windows Rootkits
mitre-attack (T1014)
Wikipedia Rootkit

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (31)

Blackwood uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Gleaming Pisces uses UNC1720UNC4736

The MITRE Corporation Confidence 100

[AppleJeus](https://attack.mitre.org/groups/G1049) is a North Korean state-sponsored threat group attributed to the Reconnaissance General Bureau. Associated with the broader [Lazarus Group](https://attack.mitre.org/groups/G0032) umbrella of actors, [AppleJeus](https://attack.mitre.org/groups/G1049) has been active since…

First seen 01/01/1970 · Last seen 16/11/5138 ·
GhostEmperor uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
RudePanda uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
UNC5221 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
TeamTNT uses

The MITRE Corporation Confidence 100

[TeamTNT](https://attack.mitre.org/groups/G0139) is a threat group that has primarily targeted cloud and containerized environments. The group as been active since at least October 2019 and has mainly focused its…

First seen 01/01/1970 · Last seen 16/11/5138 ·
The Gentlemen uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Rocke uses

The MITRE Corporation Confidence 100

[Rocke](https://attack.mitre.org/groups/G0106) is an alleged Chinese-speaking adversary whose primary objective appeared to be cryptojacking, or stealing victim system resources for the purposes of mining cryptocurrency. The name [Rocke](https://attack.mitre.org/groups/G0106) comes…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Winnti uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT41 uses Wicked PandaBrass Typhoon

The MITRE Corporation Confidence 100

[APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Manic Menagerie uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Transparent Tribe uses COPPER FIELDSTONEMythic Leopard

The MITRE Corporation Confidence 100

[Transparent Tribe](https://attack.mitre.org/groups/G0134) is a suspected Pakistan-based threat group that has been active since at least 2013, primarily targeting diplomatic, defense, and research organizations in India and Afghanistan.(Citation: Proofpoint…

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 3

1–12 of 31

VPC Security uses
Trojan:Win32/Nukesped uses
Carberp uses
Emotet uses
TEMPLEDOOR uses

Family
Deed RAT uses

Family
Hacktool uses
MataDoor uses
GorillaBot uses

Family
Trojan:MacOS/Pnscan uses
REPTILE uses

Family
HyperBro - S0398 uses

← Previous

Page / 11

1–12 of 132

Threat landscape — Belgium related

Confidence 100 18 CVEs 200 MITREs 200 Malwares 20 APTs 26 Tools
Threat landscape — insurance related

Confidence 100 199 MITREs 11 APTs
APT Targets Azerbaijani Oil and Gas Industry related

5 CVEs 20 MITREs 3 Malwares 2 Observables 1 APT
fast16 | Mystery ShadowBrokers Reference Reveals High-Precision Software … related

AlienVault Confidence 100 20 MITREs 3 Malwares 15 IOCs 15 Observables
Illuminating VoidLink: Technical analysis of the VoidLink rootkit … related

18 MITREs 1 Malware 2 Observables
Inside Salt Typhoon: China's State-Corporate Advanced Persistent Threat related

16 MITREs 1 APT
GUNRA RANSOMWARE: What You Don't Know! related

22 MITREs 3 Malwares 1 APT
Unmasking The Gentlemen Ransomware: Tactics, Techniques, and Procedures … related

13 MITREs 1 APT
Threat Bulletin: Fire in the Woods – A … related

10 MITREs 1 Malware 1 APT
Suspected China-Nexus Threat Actor Actively Exploiting Critical Ivanti … related

19 MITREs 5 Malwares 1 APT
Inside Kimsuky’s Latest Cyberattack: Analyzing Malicious Scripts and … related

11 MITREs 1 Malware 1 APT
GorillaBot: Technical Analysis and Code Similarities with Mirai related

12 MITREs 2 Malwares 3 Observables

← Previous

Page / 3

1–12 of 27

Vulnerabilities (CVE) (37)

CVE-2021-44228 KEV targets

10.0 Critical

Apache Log4j2 contains a vulnerability where JNDI features do not protect against attacker-controlled JNDI-related endpoints, allowing for remote code execution.

Attack vector: Network
Published: 10/12/2021
Modified: 27/05/2026

CVE-2022-41040 KEV targets

8.8 High

Microsoft Exchange Server allows for server-side request forgery. Dubbed "ProxyNotShell," this vulnerability is chainable with CVE-2022-41082 which allows for remote code execution.

Attack vector: Network
Published: 30/09/2022
Modified: 20/12/2025

CVE-2024-38193 KEV targets

7.8 High

Microsoft Windows Ancillary Function Driver for WinSock contains an unspecified vulnerability that allows for privilege escalation, enabling a local attacker to gain …

Attack vector: Local
Published: 13/08/2024
Modified: 21/12/2025

Received

CVE-2024-5274 KEV targets

9.6 Critical

Google Chromium V8 contains a type confusion vulnerability that allows a remote attacker to execute code via a crafted HTML page. This …

Attack vector: Network
Published: 28/05/2024
Modified: 21/12/2025

Awaiting Analysis

CVE-2021-4034 KEV targets

The Red Hat polkit pkexec utility contains an out-of-bounds read and write vulnerability that allows for privilege escalation with administrative rights.

Published: 27/06/2022
Modified: 20/12/2025

CVE-2017-0213 KEV targets

7.3 High

Microsoft Windows COM Aggregate Marshaler allows for privilege escalation when an attacker runs a specially crafted application.

Attack vector: LOCAL
Complexity: LOW
Published: 12/05/2017
Modified: 22/04/2026

CVE-2021-4043 targets

CVE-2024-4947 KEV targets

9.6 Critical

Type Confusion in V8 in Google Chrome prior to 125.0.6422.60 allowed a remote attacker to execute arbitrary code inside a sandbox via …

Attack vector: Network
Published: 20/05/2024
Modified: 29/05/2026

Received

CVE-2019-0604 KEV targets

Microsoft SharePoint fails to check the source markup of an application package. An attacker who successfully exploits the vulnerability could run remote …

Published: 03/11/2021
Modified: 20/12/2025

CVE-2024-7971 KEV targets

9.6 Critical

Google Chromium V8 contains a type confusion vulnerability that allows a remote attacker to exploit heap corruption via a crafted HTML page. …

Attack vector: Network
Published: 26/08/2024
Modified: 21/12/2025

Analyzed

CVE-2021-34473 KEV targets

Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution.

Published: 03/11/2021
Modified: 29/05/2026

CVE-2021-34523 KEV targets

Microsoft Exchange Server contains an unspecified vulnerability that allows for privilege escalation.

Published: 03/11/2021
Modified: 20/12/2025

← Previous

Page / 4

1–12 of 37

HTRAN uses

The MITRE Corporation Confidence 100

[HTRAN](https://attack.mitre.org/software/S0040) is a tool that proxies connections through intermediate hops and aids users in disguising their true geographical location. It can be used by adversaries to hide their…

Campaign (2)

RedPenguin uses
ArcaneDoor uses

Contact About Legal notice Privacy policy Terms of use

T1014: T1014

Essential information

Aliases

Platforms

Description

Kill chain phases

Marking (TLP)

External references

Related entities

Intrusion sets (APT) (31)

Malware (132)

Reports (27)

Vulnerabilities (CVE) (37)

Tool (1)

Campaign (2)