Rootkits are a type of stealth malware that are dedicated to hiding the attacker’s presence on a compromised system. This class will focus on understanding how rootkits work and what tools can be used to help find them.
This will be a very hands-on class where we talk about specific techniques which rootkits use and then do labs where we show how a proof of concept rootkit is able to hide things from a defender. Example techniques include:
- Trojan binaries
- Inline hooks
- Import Address Table (IAT) hooking
- System Call Table/System Service Descriptor Table (SSDT) hooking
- Interrupt Descriptor Table (IDT) hooking
- Direct Kernel Object Manipulation (DKOM)
- Kernel Object Hooking (KOH)
- IO Request Packet (IRP) filtering
- Hiding files/processes/open ports
- Compromising the Master Boot Record (MBR) to install a “bootkit”
The class will help the student learn which tools to use to look for rootkits on Windows systems, how to evaluate the breadth of a tool’s detection capabilities, and how to interpret tool results.
Learning Objectives
- Gain a deep understanding of the common techniques which stealth malware use across all operating systems.
- Get hands on experience with proof of concept rootkit techniques.
- Understand which tools are appropriate for finding which types of rootkits.
Framework Connections
The materials within this course focus on the NICE Framework Task, Knowledge, and Skill statements identified within the indicated NICE Framework component(s):
Specialty Areas
- Technology R&D
Feedback
If you would like to provide feedback on this course, please e-mail the NICCS team at NICCS@mail.cisa.dhs.gov. Please keep in mind that NICCS does not own this course or accept payment for course entry. If you have questions related to the details of this course, such as cost, prerequisites, how to register, etc., please contact the course training provider directly. You can find course training provider contact information by following the link that says “Visit course page for more information...” on this page.