Rootkits are a type of stealth malware that are dedicated to hiding the attacker’s presence on a compromised system. This class will focus on understanding how rootkits work and what tools can be used to help find them.
This will be a very hands-on class where we talk about specific techniques which rootkits use and then do labs where we show how a proof of concept rootkit is able to hide things from a defender. Example techniques include:
Import Address Table (IAT) hooking
System Call Table/System Service Descriptor Table (SSDT) hooking
Interrupt Descriptor Table (IDT) hooking
Direct Kernel Object Manipulation (DKOM)
Kernel Object Hooking (KOH)
IO Request Packet (IRP) filtering
Hiding files/processes/open ports
Compromising the Master Boot Record (MBR) to install a “bootkit”
The class will help the student learn which tools to use to look for rootkits on Windows systems, how to evaluate the breadth of a tool’s detection capabilities, and how to interpret tool results.
Gain a deep understanding of the common techniques which stealth malware use across all operating systems.
Get hands on experience with proof of concept rootkit techniques.
Understand which tools are appropriate for finding which types of rootkits.
The materials within this course focus on the Knowledge Skills and Abilities (KSAs) identified within the Specialty Areas listed below. Click to view Specialty Area details within the interactive National Cybersecurity Workforce Framework.