CLEARED FOR PUBLIC RELEASE · OPEN-SOURCE INTELLIGENCE
Rootkit (T1014) — a Defense Evasion technique, observed in public incident reporting.
MITRE ATT&CKT1014
TacticDefense Evasion
Incidents on file7
Detection & mitigation
Monitor for unexpected WDAC policy deployments (Event ID 3099) and use integrity checks on critical system files. Deploy application allowlisting and restrict WDAC policy modification to authorized administrators only.