• Classroom
Course Description

To achieve maximum stealth and obtain unabated access to the system, rootkits execute in kernel mode. This course focuses on the kernel interfaces (APIs), data structures and mechanisms that are exploited by rootkits to achieve their goals at every stage of their execution. Kernel security enhancements that have been progressively added from Windows 7 to the latest version of Windows are discussed along with some circumvention techniques. Every topic in this course is accompanied by hands-on labs where attendees get to implement key components of a rootkit and test them on 64-bit Windows systems to reinforce their understanding of the theory. By learning how rootkits actually work, attendees are able to detect and defend against them.

Learning Objectives

  • Understand vulnerabilities in the Windows kernel and device drivers
  • Be able to write and modify kernel mode exploits
  • Understand the security enhancements that have been added to recent versions of Windows
  • Be able to bypass some of the security mitigations in recent versions of Windows
  • Understand the post-exploitation steps performed by kernel mode rootkits
  • Understand the techniques used by popular real world rootkits
  • Understand how rootkits hide their presence in the system
  • Understand how rootkits communicate with command and control (C&C) servers
  • Be able to identify malicious behavior and defend against rootkits

Framework Connections

The materials within this course focus on the NICE Framework Task, Knowledge, and Skill statements identified within the indicated NICE Framework component(s):

Specialty Areas

  • Technology R&D

Specialty Areas have been removed from the NICE Framework. With the recent release of the new NICE Framework data, updates to courses are underway. Until this course can be updated, this historical information is provided to give better context as to how it can help you with your cybersecurity goals.