T1014: T1014
Essential information
- MITRE technique ID
T1014- Confidence
- 100/100
- Revoked
- No
- Published
- 31/05/2017 23:30
- Modified
- 27/03/2026 01:10
- Author / Source
- The MITRE Corporation
Aliases
Rootkit
Platforms
windows macos linux
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | defense-evasion |
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (30)
-
Blackwood usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[AppleJeus](https://attack.mitre.org/groups/G1049) is a North Korean state-sponsored threat group attributed to the Reconnaissance General Bureau. Associated with the broader [Lazarus Group](https://attack.mitre.org/groups/G0032) umbrella of actors, [AppleJeus](https://attack.mitre.org/groups/G1049) has been active since…
First seen 01/01/1970 · Last seen 16/11/5138 · -
GhostEmperor usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
RudePanda usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
UNC5221 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
TeamTNT usesThe MITRE Corporation Confidence 100
[TeamTNT](https://attack.mitre.org/groups/G0139) is a threat group that has primarily targeted cloud and containerized environments. The group as been active since at least October 2019 and has mainly focused its…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The Gentlemen usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Rocke usesThe MITRE Corporation Confidence 100
[Rocke](https://attack.mitre.org/groups/G0106) is an alleged Chinese-speaking adversary whose primary objective appeared to be cryptojacking, or stealing victim system resources for the purposes of mining cryptocurrency. The name [Rocke](https://attack.mitre.org/groups/G0106) comes…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Winnti usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Manic Menagerie usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[Transparent Tribe](https://attack.mitre.org/groups/G0134) is a suspected Pakistan-based threat group that has been active since at least 2013, primarily targeting diplomatic, defense, and research organizations in India and Afghanistan.(Citation: Proofpoint…
First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (80)
-
VPC Security uses
-
Trojan:Win32/Nukesped uses
-
Carberp uses
-
Emotet uses
-
TEMPLEDOOR usesFamily
-
Deed RAT usesFamily
-
Hacktool uses
-
MataDoor uses
-
GorillaBot usesFamily
-
Trojan:MacOS/Pnscan uses
-
REPTILE usesFamily
-
HyperBro - S0398 uses
Reports (27)
-
Threat landscape — Belgium relatedConfidence 100 18 CVEs 200 MITREs 200 Malwares 20 APTs 26 Tools
-
Threat landscape — insurance relatedConfidence 100 199 MITREs 11 APTs
-
5 CVEs 20 MITREs 3 Malwares 2 Observables 1 APT
-
AlienVault Confidence 100 20 MITREs 3 Malwares 15 IOCs 15 Observables
-
18 MITREs 1 Malware 2 Observables
-
16 MITREs 1 APT
-
22 MITREs 3 Malwares 1 APT
-
13 MITREs 1 APT
-
10 MITREs 1 Malware 1 APT
-
19 MITREs 5 Malwares 1 APT
-
11 MITREs 1 Malware 1 APT
-
12 MITREs 2 Malwares 3 Observables
Vulnerabilities (CVE) (37)
Windows DWM Core Library Elevation of Privilege Vulnerability
- Published
- 14/05/2024
- Modified
- 14/05/2024
Microsoft Exchange Server contains an unspecified vulnerability that allows for security feature bypass.
- Published
- 03/11/2021
- Modified
- 20/12/2025
Zoho ManageEngine ADSelfService Plus contains an authentication bypass vulnerability affecting the REST API URLs which allow for remote code execution.
- Published
- 03/11/2021
- Modified
- 20/12/2025
Microsoft Win32k contains an unspecified vulnerability due to it failing to properly handle objects in memory causing privilege escalation. Successful exploitation allows …
- Published
- 03/11/2021
- Modified
- 21/12/2025
A privilege escalation vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k EoP.
- Published
- 10/01/2022
- Modified
- 20/12/2025
Microsoft Exchange Server contains an information disclosure vulnerability which can allow an unauthenticated attacker to steal email traffic from target.
- Published
- 18/01/2022
- Modified
- 20/12/2025
Atlassian Confluence Server and Data Center contain a remote code execution vulnerability that allows for an unauthenticated attacker to perform remote code …
- Published
- 02/06/2022
- Modified
- 27/05/2026
targets
Apache ActiveMQ contains a deserialization of untrusted data vulnerability that may allow a remote attacker with network access to a broker to …
- Attack vector
- Network
- Published
- 02/11/2023
- Modified
- 21/12/2025
Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain.
- Published
- 03/11/2021
- Modified
- 20/12/2025
Multiple WSO2 products allow for unrestricted file upload, resulting in remote code execution.
- Published
- 25/04/2022
- Modified
- 20/12/2025
Tool (1)
-
HTRAN usesThe MITRE Corporation Confidence 100
[HTRAN](https://attack.mitre.org/software/S0040) is a tool that proxies connections through intermediate hops and aids users in disguising their true geographical location. It can be used by adversaries to hide their…
Campaign (1)
-
RedPenguin uses