← Back to ATT&CK index
T1014
Rootkit
View on attack.mitre.org →6 syscalls implement this technique
- NtQuerySystemInformation
Retrieves a class of system-wide information — process list, kernel handle table, loaded driver list, code-integrity status, and more.
- NtSetSystemInformation
Generic kernel setter selected by SYSTEM_INFORMATION_CLASS — gateway to SystemDebugControl, GDI driver loading and more.
- NtQueryDirectoryFile
Enumerates a directory at the IRP layer — used by rootkits to hide files by tampering with the returned list.
- NtDeviceIoControlFile
Sends an IOCTL to a kernel driver — the user-mode entry point for every BYOVD primitive abuse.
- NtLoadDriver
Loads a kernel-mode driver from a registry-described service entry — the BYOVD entry point.
- NtSystemDebugControl
Routes kernel debugger-style requests (kernel R/W, control space, breakpoints, profiler) selected by the SysDbgCommand enum.