T1014: T1014
Essential information
- MITRE technique ID
T1014- Confidence
- 100/100
- Revoked
- No
- Published
- 31/05/2017 23:30
- Modified
- 27/03/2026 01:10
- Author / Source
- The MITRE Corporation
Aliases
Rootkit
Platforms
windows macos linux
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | defense-evasion |
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (30)
-
Lazarus relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Silver Fox relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
UNC3886 relatedThe MITRE Corporation Confidence 100
[UNC3886](https://attack.mitre.org/groups/G1048) is a China-nexus cyberespionage group that has been active since at least 2022, targeting defense, technology, and telecommunication organizations located in the United States and the Asia-Pacific-Japan…
First seen 01/01/1970 · Last seen 16/11/5138 · -
VoidLink relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[Winnti Group](https://attack.mitre.org/groups/G0044) is a threat group with Chinese origins that has been active since at least 2010. The group has heavily targeted the gaming industry, but it has…
First seen 01/01/1970 · Last seen 16/11/5138 · -
gunra relatedAlienVault Confidence 100
No description available
First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (80)
-
ComRAT - S0126 uses
-
DoNoT Loader usesFamily
-
TinyTurla - S0668 usesFamily
-
Kik usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Trojan:Win64/NukeSped uses
-
ZGrab uses
-
BlackMatter usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
ROTPIPE usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
VBS uses
-
Winnti for Linux usesFamily The MITRE Corporation Confidence 100
[Winnti for Linux](https://attack.mitre.org/software/S0430) is a trojan, seen since at least 2015, designed specifically for targeting Linux systems. Reporting indicates the winnti malware family is shared across a number…
First seen 01/01/1970 · Last seen 16/11/5138 · -
svcmgmt.exe usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
trojan.danfuan uses
Reports (27)
-
Threat landscape — Belgium relatedConfidence 100 18 CVEs 200 MITREs 200 Malwares 20 APTs 26 Tools
-
Threat landscape — insurance relatedConfidence 100 199 MITREs 11 APTs
-
5 CVEs 20 MITREs 3 Malwares 2 Observables 1 APT
-
AlienVault Confidence 100 20 MITREs 3 Malwares 15 IOCs 15 Observables
-
18 MITREs 1 Malware 2 Observables
-
16 MITREs 1 APT
-
22 MITREs 3 Malwares 1 APT
-
13 MITREs 1 APT
-
10 MITREs 1 Malware 1 APT
-
19 MITREs 5 Malwares 1 APT
-
11 MITREs 1 Malware 1 APT
-
12 MITREs 2 Malwares 3 Observables
Vulnerabilities (CVE) (37)
Apache Log4j2 contains a vulnerability where JNDI features do not protect against attacker-controlled JNDI-related endpoints, allowing for remote code execution.
- Attack vector
- Network
- Published
- 10/12/2021
- Modified
- 27/05/2026
Microsoft Exchange Server allows for server-side request forgery. Dubbed "ProxyNotShell," this vulnerability is chainable with CVE-2022-41082 which allows for remote code execution.
- Attack vector
- Network
- Published
- 30/09/2022
- Modified
- 20/12/2025
Microsoft Windows Ancillary Function Driver for WinSock contains an unspecified vulnerability that allows for privilege escalation, enabling a local attacker to gain …
- Attack vector
- Local
- Published
- 13/08/2024
- Modified
- 21/12/2025
Google Chromium V8 contains a type confusion vulnerability that allows a remote attacker to execute code via a crafted HTML page. This …
- Attack vector
- Network
- Published
- 28/05/2024
- Modified
- 21/12/2025
The Red Hat polkit pkexec utility contains an out-of-bounds read and write vulnerability that allows for privilege escalation with administrative rights.
- Published
- 27/06/2022
- Modified
- 20/12/2025
Microsoft Windows COM Aggregate Marshaler allows for privilege escalation when an attacker runs a specially crafted application.
- Attack vector
- LOCAL
- Complexity
- LOW
- Published
- 12/05/2017
- Modified
- 22/04/2026
Type Confusion in V8 in Google Chrome prior to 125.0.6422.60 allowed a remote attacker to execute arbitrary code inside a sandbox via …
- Attack vector
- Network
- Published
- 20/05/2024
- Modified
- 29/05/2026
Microsoft SharePoint fails to check the source markup of an application package. An attacker who successfully exploits the vulnerability could run remote …
- Published
- 03/11/2021
- Modified
- 20/12/2025
Google Chromium V8 contains a type confusion vulnerability that allows a remote attacker to exploit heap corruption via a crafted HTML page. …
- Attack vector
- Network
- Published
- 26/08/2024
- Modified
- 21/12/2025
Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution.
- Published
- 03/11/2021
- Modified
- 29/05/2026
Microsoft Exchange Server contains an unspecified vulnerability that allows for privilege escalation.
- Published
- 03/11/2021
- Modified
- 20/12/2025
Tool (1)
-
HTRAN usesThe MITRE Corporation Confidence 100
[HTRAN](https://attack.mitre.org/software/S0040) is a tool that proxies connections through intermediate hops and aids users in disguising their true geographical location. It can be used by adversaries to hide their…
Campaign (1)
-
RedPenguin uses