& Rootkit

From ema
Jump to navigation Jump to search
EMA ID: ema-1015
Description: A Rootkit may have the following capabilities:
  • Hide Kernel Modules - hides the usage of any kernel modules by the malware instance.
  • Hide Services - hides any system services that the malware instance creates or injects itself into.
  • Hide Threads - hides one or more threads that belong to the malware instance.
  • Hide Userspace Libraries - hides the usage of userspace libraries by the malware instance.
  • Prevent API Unhooking - prevents the API hooks installed by the malware instance from being removed.
  • Prevent Registry Access - prevents access to the Windows registry, including to the entire registry and/or to particular registry keys/values.
  • Prevent Registry Deletion - prevent Windows registry keys and/or values associated with the malware instance from being deleted from a system.
  • Prevent File Access - prevents access to the file system, including to specific files and/or directories associated with the malware instance.
  • Prevent File Deletion - prevents files and/or directories associated with the malware instance from being deleted from a system.
  • Prevent Memory Access - prevents access to system memory where the malware instance may be storing code or data.
  • Prevent Native API Hooking - prevents other software from hooking native system APIs.

Associated Capabilities/Subcapabilities: Capability.png Defense Evasion

Associated With & Rootkit
No results