TID-218: Operating System Susceptible to Rootkit
Threat Description
A threat actor may be able to install a rootkit that can manipulate the operating system (OS). Rootkits can evade OS protections by installing themselves at the same privilege-level as the OS. A threat actor can use a rootkit to maintain persistence on the device, evade detection, or execute malicious programs/logic.
Threat Maturity and Evidence
Known Exploitable Weakness
ATT&CK Technique: Rootkit (T0851)
Procedure Example: Stuxnet (S0603)
“One of Stuxnet’s rootkits is contained entirely in the fake s7otbxdx.dll. In order to continue existing undetected on the PLC it needs to account for at least the following situations: read requests for its own malicious code blocks, read requests for infected blocks (OB1, OB35, DP_RECV), and write requests that could overwrite Stuxnets [sic] own code. Stuxnet contains code to monitor and intercept these types of requests. The rootkit modifies these requests so that Stuxnets [sic] PLC code is not discovered or damaged.”
Proof of Concept
Ghost in the PLC
Researchers Abbasi and Hasemi were able to create the Ghost in the PLC rootkit. This rootkit is able to embed itself in a PLC with detection evasion mechanisms. It is then able to achieve arbitrary read/write in registers with/without root access.
Air Force Institute of Technology (AFIT)
“Researchers with the U.S. Air Force Institute of Technology (AFIT) have created a prototype rootkit that can sit undetected in the firmware of a programmable logic controller (PLC) device and corrupt utility and plant floor operations.”
CWE
CWE-693: Protection Mechanisms Failure (Pillar)
“The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.”