• Online, Self-Paced

Rootkits are a type of stealth malware that are dedicated to hiding the attacker’s presence on a compromised system. This class will focus on understanding how rootkits work and what tools can be used to help find them.

This will be a very hands-on class where we talk about specific techniques which rootkits use and then do labs where we show how a proof of concept rootkit is able to hide things from a defender. Example techniques include:

  • Trojan binaries
  • Inline hooks
  • Import Address Table (IAT) hooking
  • System Call Table/System Service Descriptor Table (SSDT) hooking
  • Interrupt Descriptor Table (IDT) hooking
  • Direct Kernel Object Manipulation (DKOM)
  • Kernel Object Hooking (KOH)
  • IO Request Packet (IRP) filtering
  • Hiding files/processes/open ports
  • Compromising the Master Boot Record (MBR) to install a “bootkit”

The class will help the student learn which tools to use to look for rootkits on Windows systems, how to evaluate the breadth of a tool’s detection capabilities, and how to interpret tool results.

Learning Objectives

  • Gain a deep understanding of the common techniques which stealth malware use across all operating systems.
  • Get hands on experience with proof of concept rootkit techniques.
  • Understand which tools are appropriate for finding which types of rootkits.

Framework Connections

The materials within this course focus on the Knowledge Skills and Abilities (KSAs) identified within the Specialty Areas listed below. Click to view Specialty Area details within the interactive National Cybersecurity Workforce Framework.

Feedback

If you would like to provide feedback for this course, please e-mail the NICCS SO at NICCS@hq.dhs.gov.