MITRE ATT&CK / T1014
T1014
Rootkit
Description
Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. (Citation: Symantec Windows Rootkits)Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor or [System Firmware](https://attack.mitre.org/techniques/T1542/001). (Citation: Wikipedia Rootkit) Rootkits have been seen for Windows, Linux, and Mac OS X systems. (Citation: CrowdStrike Linux Rootkit) (Citation: BlackHat Mac OSX Rootkit)Rootkits that reside or modify boot sectors are known as [Bootkit](https://attack.mitre.org/techniques/T1542/003)s and specifically target the boot process of the operating system.
Platforms
Use our free MITRE ATT&CK lookup tool, or browse the full ATT&CK matrix.
Our coverage
- PCPJack Cloud Worm Evicts Competitor Malware, Steals Credentials from Docker and Kubernetes
- Salt Typhoon Compromises 200+ Networks in Global PRC Telecom Espionage Campaign
- Quasar Linux (QLNX): Rootkit and PAM Backdoor Targeting Developer Credentials
- Bleeding Llama: CVE-2026-5757 Exposes 300,000 Ollama AI Servers, No Patch Available
- AI Agent Security: Why Agentic AI Keeps Destroying Production Environments
Source: MITRE ATT&CK Enterprise matrix. View on attack.mitre.org →