T0851 Rootkit
Adversaries may deploy rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting and modifying operating-system API calls that supply system information. Rootkits or rootkit-enabling functionality may reside at the user or kernel level in the operating system, or lower. 1
Firmware rootkits that affect the operating system yield nearly full control of the system. While firmware rootkits are normally developed for the main processing board, they can also be developed for the I/O that is attached to an asset. Compromise of this firmware allows the modification of all of the process variables and functions the module engages in. This may result in commands being disregarded and false information being fed to the main device. By tampering with device processes, an adversary may inhibit its expected response functions and possibly enable Impact.
| Item | Value |
|---|---|
| ID | T0851 |
| Sub-techniques | |
| Tactics | TA0103, TA0107 |
| Platforms | Field Controller/RTU/PLC/IED |
| Version | 1.1 |
| Created | 21 May 2020 |
| Last Modified | 09 March 2023 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0603 | Stuxnet | One of Stuxnet‘s rootkits is contained entirely in the fake s7otbxdx.dll. In order to continue existing undetected on the PLC it needs to account for at least the following situations: read requests for its own malicious code blocks, read requests for infected blocks (OB1, OB35, DP_RECV), and write requests that could overwrite Stuxnets own code. Stuxnet contains code to monitor and intercept these types of requests. The rootkit modifies these requests so that Stuxnets PLC code is not discovered or damaged. 3 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M0947 | Audit | Audit the integrity of PLC system and application code functionality, such as the manipulation of standard function blocks (e.g., Organizational Blocks) that manage the execution of application logic programs. 2 |
| M0945 | Code Signing | Digital signatures may be used to ensure application DLLs are authentic prior to execution. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0001 | Firmware | Firmware Modification |
References
-
Enterprise ATT&CK 2018, January 11 Rootkit Retrieved. 2018/05/16 ↩
-
IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25 ↩
-
Ralph Langner. (2013, November). To Kill a Centrifuge: A Technical Analysis of What Stuxnet’s Creators Tried to Achieve. Retrieved December 7, 2020. ↩