🥷 Rootkits & Stealth Techniques

Learn how attackers attempt to hide malicious activity and why visibility is critical for defenders.

🚨 Incident Report

Security software reports:

• No malware detected
• No suspicious processes
• No active threats

Yet investigators observe:

• Unusual network traffic
• Credential theft
• Unauthorized activity

The malware isn’t gone.

It’s hidden.

📖 What Is A Rootkit?

A rootkit is a collection of techniques used to conceal malicious activity from users and security tools.

Hide The Evidence
Maintain Access

Rootkits are often used to support other malware by helping it remain undetected.

🎯 Rootkit Objectives

• Hide Malware
• Hide Processes
• Hide Files
• Hide Network Activity
• Maintain Persistence
• Avoid Detection

🗂 Common Rootkit Categories

• User Mode Rootkits
• Kernel Mode Rootkits
• Bootkits
• Firmware Rootkits
• Hypervisor-Based Rootkits

Different rootkits operate at different system layers.

👤 User Mode Rootkits

These operate at the application level.

They may attempt to:

• Hide files
• Hide processes
• Manipulate application output

Generally easier to detect than deeper rootkit types.

⚙ Kernel Mode Rootkits

Kernel mode rootkits operate closer to the operating system core.

Potential impact:

• Greater system control
• Deeper concealment
• More difficult investigations

These rootkits are considered especially dangerous.

💻 Bootkits

Bootkits target the system startup process.

Their goal is often:

• Early execution
• Persistence
• Long-term survival

They attempt to start before many security controls.

🥷 Common Stealth Techniques

• Process Hiding
• File Hiding
• Registry Hiding
• Log Manipulation
• Security Tool Evasion

The objective is always the same:

Reduce visibility.

⚠ Possible Indicators

• Unexpected system behavior
• Security tools disabled
• Missing logs
• Hidden files
• Unexplained network activity

Investigators often discover rootkits indirectly through anomalies.

🛠 Investigation Toolkit

• Process Explorer
• Autoruns
• Sysmon
• Volatility
• Wireshark
• EDR Platforms

Multiple tools are often required because a single view may be manipulated.

🔬 Why Forensics Matters

Rootkit investigations frequently involve:

• Memory analysis
• Disk analysis
• Log correlation
• Network evidence

Investigators often compare multiple data sources to uncover hidden activity.

🎓 CEH Exam Focus

• Rootkits conceal malicious activity
• User mode and kernel mode rootkits differ
• Bootkits target startup processes
• Rootkits support persistence and evasion
• Visibility is essential for detection

🏆 Key Lesson

Many malware families focus on compromise.

Rootkits focus on concealment.

You Can’t Defend
What You Can’t See

🤖 Botnets & Command-and-Control (C2)

Learn how attackers manage thousands of infected systems remotely and why command-and-control infrastructure is critical to modern malware operations.