T1014: T1014

Search IOCs, vulnerabilities, APT…

216.73.216.6

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 31/05/2017 23:30 · Modified 27/03/2026 01:10

Essential information

MITRE technique ID: T1014
Confidence: 100/100
Revoked: No
Published: 31/05/2017 23:30
Modified: 27/03/2026 01:10
Author / Source: The MITRE Corporation

Aliases

Rootkit

Platforms

windows macos linux

Description

Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. (Citation: Symantec Windows Rootkits) Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor or [System Firmware](https://attack.mitre.org/techniques/T1542/001). (Citation: Wikipedia Rootkit) Rootkits have been seen for Windows, Linux, and Mac OS X systems. (Citation: CrowdStrike Linux Rootkit) (Citation: BlackHat Mac OSX Rootkit) Rootkits that reside or modify boot sectors are known as [Bootkit](https://attack.mitre.org/techniques/T1542/003)s and specifically target the boot process of the operating system.

Kill chain phases

Kill chain	Phase
mitre-attack	defense-evasion

Marking (TLP)

External references

CrowdStrike Linux Rootkit
BlackHat Mac OSX Rootkit
Symantec Windows Rootkits
mitre-attack (T1014)
Wikipedia Rootkit

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (30)

UNC1860 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Ebury uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Gelsemium uses

The MITRE Corporation Confidence 100

[Gelsemium](https://attack.mitre.org/groups/G0141) is a cyberespionage group that has been active since at least 2014, targeting governmental institutions, electronics manufacturers, universities, and religious organizations in East Asia and the Middle…

First seen 01/01/1970 · Last seen 16/11/5138 ·
WatchDog uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Salt Typhoon uses

The MITRE Corporation Confidence 100

[Salt Typhoon](https://attack.mitre.org/groups/G1045) is a People's Republic of China (PRC) state-backed actor that has been active since at least 2019 and responsible for numerous compromises of network infrastructure at…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Cranefly uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT-Q-29 related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Candiru related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Corlys related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Daggerfly related BRONZE HIGHLANDEvasive Panda

The MITRE Corporation Confidence 100

[Daggerfly](https://attack.mitre.org/groups/G1034) is a People's Republic of China-linked APT entity active since at least 2012. [Daggerfly](https://attack.mitre.org/groups/G1034) has targeted individuals, government and NGO entities, and telecommunication companies in Asia and…

First seen 01/01/1970 · Last seen 16/11/5138 ·
FIN7 related GOLD NIAGARAITG14

The MITRE Corporation Confidence 100

[FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013. [FIN7](https://attack.mitre.org/groups/G0046) has targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
HoneyMyte related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 3

13–24 of 30

ComRAT - S0126 uses
DoNoT Loader uses

Family
TinyTurla - S0668 uses

Family
Kik uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Trojan:Win64/NukeSped uses
ZGrab uses
BlackMatter uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
ROTPIPE uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
VBS uses
Winnti for Linux uses

Family The MITRE Corporation Confidence 100

[Winnti for Linux](https://attack.mitre.org/software/S0430) is a trojan, seen since at least 2015, designed specifically for targeting Linux systems. Reporting indicates the winnti malware family is shared across a number…

First seen 01/01/1970 · Last seen 16/11/5138 ·
svcmgmt.exe uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
trojan.danfuan uses

← Previous

Page / 7

13–24 of 80

Threat landscape — Belgium related

Confidence 100 18 CVEs 200 MITREs 200 Malwares 20 APTs 26 Tools
Threat landscape — insurance related

Confidence 100 199 MITREs 11 APTs
APT Targets Azerbaijani Oil and Gas Industry related

5 CVEs 20 MITREs 3 Malwares 2 Observables 1 APT
fast16 | Mystery ShadowBrokers Reference Reveals High-Precision Software … related

AlienVault Confidence 100 20 MITREs 3 Malwares 15 IOCs 15 Observables
Illuminating VoidLink: Technical analysis of the VoidLink rootkit … related

18 MITREs 1 Malware 2 Observables
Inside Salt Typhoon: China's State-Corporate Advanced Persistent Threat related

16 MITREs 1 APT
GUNRA RANSOMWARE: What You Don't Know! related

22 MITREs 3 Malwares 1 APT
Unmasking The Gentlemen Ransomware: Tactics, Techniques, and Procedures … related

13 MITREs 1 APT
Threat Bulletin: Fire in the Woods – A … related

10 MITREs 1 Malware 1 APT
Suspected China-Nexus Threat Actor Actively Exploiting Critical Ivanti … related

19 MITREs 5 Malwares 1 APT
Inside Kimsuky’s Latest Cyberattack: Analyzing Malicious Scripts and … related

11 MITREs 1 Malware 1 APT
GorillaBot: Technical Analysis and Code Similarities with Mirai related

12 MITREs 2 Malwares 3 Observables

← Previous

Page / 3

1–12 of 27

Vulnerabilities (CVE) (37)

CVE-2024-30051 targets

7.8 High

Windows DWM Core Library Elevation of Privilege Vulnerability

Published: 14/05/2024
Modified: 14/05/2024

Awaiting Analysis

CVE-2021-31207 KEV targets

Microsoft Exchange Server contains an unspecified vulnerability that allows for security feature bypass.

Published: 03/11/2021
Modified: 20/12/2025

CVE-2021-40539 KEV targets

Zoho ManageEngine ADSelfService Plus contains an authentication bypass vulnerability affecting the REST API URLs which allow for remote code execution.

Published: 03/11/2021
Modified: 20/12/2025

CVE-2019-0803 KEV targets

Microsoft Win32k contains an unspecified vulnerability due to it failing to properly handle objects in memory causing privilege escalation. Successful exploitation allows …

Published: 03/11/2021
Modified: 21/12/2025

CVE-2019-1458 KEV targets

A privilege escalation vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k EoP.

Published: 10/01/2022
Modified: 20/12/2025

CVE-2021-33766 KEV targets

Microsoft Exchange Server contains an information disclosure vulnerability which can allow an unauthenticated attacker to steal email traffic from target.

Published: 18/01/2022
Modified: 20/12/2025

CVE-2022-26134 KEV targets

Atlassian Confluence Server and Data Center contain a remote code execution vulnerability that allows for an unauthenticated attacker to perform remote code …

Published: 02/06/2022
Modified: 27/05/2026

CVE-2023-4911

targets

CVE-2023-46604 KEV targets

10.0 Critical

Apache ActiveMQ contains a deserialization of untrusted data vulnerability that may allow a remote attacker with network access to a broker to …

Attack vector: Network
Published: 02/11/2023
Modified: 21/12/2025

CVE-2021-26855 KEV targets

Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain.

Published: 03/11/2021
Modified: 20/12/2025

CVE-2022-29464 KEV targets

Multiple WSO2 products allow for unrestricted file upload, resulting in remote code execution.

Published: 25/04/2022
Modified: 20/12/2025

CVE-2023-33246 targets

← Previous

Page / 4

13–24 of 37

HTRAN uses

The MITRE Corporation Confidence 100

[HTRAN](https://attack.mitre.org/software/S0040) is a tool that proxies connections through intermediate hops and aids users in disguising their true geographical location. It can be used by adversaries to hide their…

Campaign (1)

RedPenguin uses

Contact About Legal notice Privacy policy Terms of use

T1014: T1014

Essential information

Aliases

Platforms

Description

Kill chain phases

Marking (TLP)

External references

Related entities

Intrusion sets (APT) (30)

Malware (80)

Reports (27)

Vulnerabilities (CVE) (37)

Tool (1)

Campaign (1)