🥷 Rootkits & Stealth Techniques
Learn how attackers attempt to hide malicious activity and why visibility is critical for defenders.
🚨 Incident Report
Security software reports:
- No malware detected
- No suspicious processes
- No active threats
Yet investigators observe:
- Unusual network traffic
- Credential theft
- Unauthorized activity
The malware isn’t gone.
It’s hidden.
📖 What Is A Rootkit?
A rootkit is a collection of techniques used to conceal malicious activity from users and security tools.
Hide The Evidence
Maintain Access
Rootkits are often used to support other malware by helping it remain undetected.
🎯 Rootkit Objectives
- Hide Malware
- Hide Processes
- Hide Files
- Hide Network Activity
- Maintain Persistence
- Avoid Detection
🗂 Common Rootkit Categories
- User Mode Rootkits
- Kernel Mode Rootkits
- Bootkits
- Firmware Rootkits
- Hypervisor-Based Rootkits
Different rootkits operate at different system layers.
👤 User Mode Rootkits
These operate at the application level.
They may attempt to:
- Hide files
- Hide processes
- Manipulate application output
Generally easier to detect than deeper rootkit types.
⚙ Kernel Mode Rootkits
Kernel mode rootkits operate closer to the operating system core.
Potential impact:
- Greater system control
- Deeper concealment
- More difficult investigations
These rootkits are considered especially dangerous.
💻 Bootkits
Bootkits target the system startup process.
Their goal is often:
- Early execution
- Persistence
- Long-term survival
They attempt to start before many security controls.
🥷 Common Stealth Techniques
- Process Hiding
- File Hiding
- Registry Hiding
- Log Manipulation
- Security Tool Evasion
The objective is always the same:
Reduce visibility.
⚠ Possible Indicators
- Unexpected system behavior
- Security tools disabled
- Missing logs
- Hidden files
- Unexplained network activity
Investigators often discover rootkits indirectly through anomalies.
🛠 Investigation Toolkit
- Process Explorer
- Autoruns
- Sysmon
- Volatility
- Wireshark
- EDR Platforms
Multiple tools are often required because a single view may be manipulated.
🔬 Why Forensics Matters
Rootkit investigations frequently involve:
- Memory analysis
- Disk analysis
- Log correlation
- Network evidence
Investigators often compare multiple data sources to uncover hidden activity.
🎓 CEH Exam Focus
- Rootkits conceal malicious activity
- User mode and kernel mode rootkits differ
- Bootkits target startup processes
- Rootkits support persistence and evasion
- Visibility is essential for detection
🏆 Key Lesson
Many malware families focus on compromise.
Rootkits focus on concealment.
You Can’t Defend
What You Can’t See
🤖 Botnets & Command-and-Control (C2)
Learn how attackers manage thousands of infected systems remotely and why command-and-control infrastructure is critical to modern malware operations.
Recent Comments