detecting-rootkit-activity

# Detecting Rootkit Activity ## When to Use - System shows signs of compromise but standard tools (Task Manager, netstat) show nothing abnormal - Antivirus/EDR detects rootkit signatures but cannot identify the specific hiding mechanism - Memory forensics reveals discrepancies between kernel data structures and user-mode tool output - Investigating a persistent threat that survives remediation attempts and system reboots - Validating system integrity after a suspected kernel-level compromise **Do not use** as a first-line detection method; start with standard malware triage and escalate to rootkit analysis when hiding behavior is suspected. ## Prerequisites - Volatility 3 for memory forensics and kernel structure analysis - GMER or Rootkit Revealer (Windows) for live system scanning - rkhunter and chkrootkit (Linux) for filesystem and process integrity checks - Sysinternals tools (Process Explorer, Autoruns, RootkitRevealer) for Windows analysis - Memory dump from the suspected system (WinPmem, LiME) - Clean baseline of the OS for comparison (known-good kernel module hashes) ## Workflow ### Step 1: Cross-View Detection for Hidden Processes Compare process lists from different data sources to find discrepancies: ```bash # Volatility: Compare process enumeration methods # pslist - walks ActiveProcessLinks (EPROCESS linked list - what rootkits manipulate) vol3 -f memory.dmp windows.pslist > pslist_output.txt # psscan - scans physical memory for EPROCESS pool tags (root...