T1014: T1014

Search IOCs, vulnerabilities, APT…

216.73.216.36

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 31/05/2017 23:30 · Modified 27/03/2026 01:10

Essential information

MITRE technique ID: T1014
Confidence: 100/100
Revoked: No
Published: 31/05/2017 23:30
Modified: 27/03/2026 01:10
Author / Source: The MITRE Corporation

Aliases

Rootkit

Platforms

windows macos linux

Description

Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. (Citation: Symantec Windows Rootkits) Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor or [System Firmware](https://attack.mitre.org/techniques/T1542/001). (Citation: Wikipedia Rootkit) Rootkits have been seen for Windows, Linux, and Mac OS X systems. (Citation: CrowdStrike Linux Rootkit) (Citation: BlackHat Mac OSX Rootkit) Rootkits that reside or modify boot sectors are known as [Bootkit](https://attack.mitre.org/techniques/T1542/003)s and specifically target the boot process of the operating system.

Kill chain phases

Kill chain	Phase
mitre-attack	defense-evasion

Marking (TLP)

External references

CrowdStrike Linux Rootkit
BlackHat Mac OSX Rootkit
Symantec Windows Rootkits
mitre-attack (T1014)
Wikipedia Rootkit

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (30)

UNC1860 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Ebury uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Gelsemium uses

The MITRE Corporation Confidence 100

[Gelsemium](https://attack.mitre.org/groups/G0141) is a cyberespionage group that has been active since at least 2014, targeting governmental institutions, electronics manufacturers, universities, and religious organizations in East Asia and the Middle…

First seen 01/01/1970 · Last seen 16/11/5138 ·
WatchDog uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Salt Typhoon uses

The MITRE Corporation Confidence 100

[Salt Typhoon](https://attack.mitre.org/groups/G1045) is a People's Republic of China (PRC) state-backed actor that has been active since at least 2019 and responsible for numerous compromises of network infrastructure at…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Cranefly uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT-Q-29 related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Candiru related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Corlys related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Daggerfly related BRONZE HIGHLANDEvasive Panda

The MITRE Corporation Confidence 100

[Daggerfly](https://attack.mitre.org/groups/G1034) is a People's Republic of China-linked APT entity active since at least 2012. [Daggerfly](https://attack.mitre.org/groups/G1034) has targeted individuals, government and NGO entities, and telecommunication companies in Asia and…

First seen 01/01/1970 · Last seen 16/11/5138 ·
FIN7 related GOLD NIAGARAITG14

The MITRE Corporation Confidence 100

[FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013. [FIN7](https://attack.mitre.org/groups/G0046) has targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
HoneyMyte related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 3

13–24 of 30

VPC Security uses
Trojan:Win32/Nukesped uses
Carberp uses
Emotet uses

Family The MITRE Corporation Confidence 100

[Emotet](https://attack.mitre.org/software/S0367) is a modular malware variant which is primarily used as a downloader for other malware variants such as [TrickBot](https://attack.mitre.org/software/S0266) and [IcedID](https://attack.mitre.org/software/S0483). Emotet first emerged in June 2014,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
TEMPLEDOOR uses

Family
Deed RAT uses

Family
Hacktool uses
MataDoor uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
GorillaBot uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Trojan:MacOS/Pnscan uses
REPTILE uses

Family The MITRE Corporation Confidence 100

[REPTILE](https://attack.mitre.org/software/S1219) is an open-source Linux rootkit with multiple components that provides backdoor access and functionality.(Citation: Google Cloud Mandiant UNC3886 2024)

First seen 01/01/1970 · Last seen 16/11/5138 ·
HyperBro - S0398 uses

← Previous

Page / 7

1–12 of 80

Threat landscape — Belgium related

Confidence 100 18 CVEs 200 MITREs 200 Malwares 20 APTs 26 Tools
Threat landscape — insurance related

Confidence 100 199 MITREs 11 APTs
APT Targets Azerbaijani Oil and Gas Industry related

5 CVEs 20 MITREs 3 Malwares 2 Observables 1 APT
fast16 | Mystery ShadowBrokers Reference Reveals High-Precision Software … related

AlienVault Confidence 100 20 MITREs 3 Malwares 15 IOCs 15 Observables
Illuminating VoidLink: Technical analysis of the VoidLink rootkit … related

18 MITREs 1 Malware 2 Observables
Inside Salt Typhoon: China's State-Corporate Advanced Persistent Threat related

16 MITREs 1 APT
GUNRA RANSOMWARE: What You Don't Know! related

22 MITREs 3 Malwares 1 APT
Unmasking The Gentlemen Ransomware: Tactics, Techniques, and Procedures … related

13 MITREs 1 APT
Threat Bulletin: Fire in the Woods – A … related

10 MITREs 1 Malware 1 APT
Suspected China-Nexus Threat Actor Actively Exploiting Critical Ivanti … related

19 MITREs 5 Malwares 1 APT
Inside Kimsuky’s Latest Cyberattack: Analyzing Malicious Scripts and … related

11 MITREs 1 Malware 1 APT
GorillaBot: Technical Analysis and Code Similarities with Mirai related

12 MITREs 2 Malwares 3 Observables

← Previous

Page / 3

1–12 of 27

Vulnerabilities (CVE) (37)

CVE-2021-44228 KEV targets

10.0 Critical

Apache Log4j2 contains a vulnerability where JNDI features do not protect against attacker-controlled JNDI-related endpoints, allowing for remote code execution.

Attack vector: Network
Published: 10/12/2021
Modified: 27/05/2026

CVE-2022-41040 KEV targets

8.8 High

Microsoft Exchange Server allows for server-side request forgery. Dubbed "ProxyNotShell," this vulnerability is chainable with CVE-2022-41082 which allows for remote code execution.

Attack vector: Network
Published: 30/09/2022
Modified: 20/12/2025

CVE-2024-38193 KEV targets

7.8 High

Microsoft Windows Ancillary Function Driver for WinSock contains an unspecified vulnerability that allows for privilege escalation, enabling a local attacker to gain …

Attack vector: Local
Published: 13/08/2024
Modified: 21/12/2025

Received

CVE-2024-5274 KEV targets

9.6 Critical

Google Chromium V8 contains a type confusion vulnerability that allows a remote attacker to execute code via a crafted HTML page. This …

Attack vector: Network
Published: 28/05/2024
Modified: 21/12/2025

Awaiting Analysis

CVE-2021-4034 KEV targets

The Red Hat polkit pkexec utility contains an out-of-bounds read and write vulnerability that allows for privilege escalation with administrative rights.

Published: 27/06/2022
Modified: 20/12/2025

CVE-2017-0213 KEV targets

7.3 High

Microsoft Windows COM Aggregate Marshaler allows for privilege escalation when an attacker runs a specially crafted application.

Attack vector: LOCAL
Complexity: LOW
Published: 12/05/2017
Modified: 22/04/2026

CVE-2021-4043 targets

CVE-2024-4947 KEV targets

9.6 Critical

Type Confusion in V8 in Google Chrome prior to 125.0.6422.60 allowed a remote attacker to execute arbitrary code inside a sandbox via …

Attack vector: Network
Published: 20/05/2024
Modified: 29/05/2026

Received

CVE-2019-0604 KEV targets

Microsoft SharePoint fails to check the source markup of an application package. An attacker who successfully exploits the vulnerability could run remote …

Published: 03/11/2021
Modified: 20/12/2025

CVE-2024-7971 KEV targets

9.6 Critical

Google Chromium V8 contains a type confusion vulnerability that allows a remote attacker to exploit heap corruption via a crafted HTML page. …

Attack vector: Network
Published: 26/08/2024
Modified: 21/12/2025

Analyzed

CVE-2021-34473 KEV targets

Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution.

Published: 03/11/2021
Modified: 29/05/2026

CVE-2021-34523 KEV targets

Microsoft Exchange Server contains an unspecified vulnerability that allows for privilege escalation.

Published: 03/11/2021
Modified: 20/12/2025

← Previous

Page / 4

1–12 of 37

HTRAN uses

The MITRE Corporation Confidence 100

[HTRAN](https://attack.mitre.org/software/S0040) is a tool that proxies connections through intermediate hops and aids users in disguising their true geographical location. It can be used by adversaries to hide their…

Campaign (1)

RedPenguin uses

Contact About Legal notice Privacy policy Terms of use

T1014: T1014

Essential information

Aliases

Platforms

Description

Kill chain phases

Marking (TLP)

External references

Related entities

Intrusion sets (APT) (30)

Malware (80)

Reports (27)

Vulnerabilities (CVE) (37)

Tool (1)

Campaign (1)