01:54 Panelist Introduction
02:24 Webinar Agenda
03:20 Rootkit Definition
03:47 Why Rootkits?
04:00 “They’re persistent. They’re often living at levels that are really hard for our tools to detect them.” – Adam
04:59 Four Varieties of Rootkits
05:29 Hardware and Firmware Rootkits
06:52 “One of the reasons I put Mebromi in here is because it happens to be the first piece of software we ever put into ATT&CK. It’s S0001.” – Adam
10:52 Across OSes
11:15 “The firmware is going to be the same across operating systems.” – Adam
12:19 “A bootkit will either overwrite the original bootcode or the VBR or patch a portion of it to execute a custom code.” – Jared
14:21 Across OSes
15:10 Kernel Rootkits
15:13 “It’s a type of malware or tool that hides itself or other components from the OS as well as other capabilities like hiding network connections.” – Jared
17:00 “Skidmap had a rootkit component that was used to hide crypto mining processes and it also altered network stats and connections.” – Jared
19:25 Windows Mitigation
20:50 “There is a series of events that lead up to these rootkits being able to run.” – Jared
22:25 macOS Mitigation
23:39 “Apple is now exposing all of that information that would normally require a kernel extension through APIs that are accessible through userland.” – Joren
24:00 “Eventually it seems like everything will require notarization and therefore that hardened run time.” – Joren
27:07 “You can search an alert on any endpoint telemetry you’re collecting through an open-source tool or EDR product. They look for uses of ktextload, which actually loads a kernel extension or more of the rootkit style behaviors.” – Joren
28:42 Linux Mitigation
33:24 Usermode Rootkits
33:39 “This is one of the only types that doesn’t require administrative privileges.” – Joren
37:15 “A usermode rootkit might change what’s returned to another process. And typically it only requires admin or root versus additional levels of privileges.” – Joren
38:02 macOS Mitigations
38:58 “This basically prevents someone from replacing an expected shared object with a malicious one, and now your host application is doing things it shouldn’t.” – Joren
40:13 Linux Mitigations
40:22 “You don’t want root to equal kernel. You have some options available to you now with later versions of the Linux kernel.” – Joren
43:12 Practical Takeaways
43:35 “Don’t turn off the things that are included with operating system protections.” – Tony
45:33 “Turn on the protections you have. It’s a really hard space for detection so you need to do everything you can to not end up in this position in the first place.” – Adam
46:25 Questions & Answers
47:49 Question 1: Are we still good with the security UEFI or is it a mistake
47:55 “The UEFI standard has secure boot in it as part of the standard.” – Adam
49:15 Question 2: How effective are “rkhunter” on Linux? Do they affect more than usermode rootkits?
49:47 “They will look for artifacts known to be associated with rootkit families.” – Joren
50:55 Question 3: What are some strategies for dealing with out of band management implants?
51:39 “Make sure you’re actually running the updates that you have. It’s way outside of your visibility.” – Adam
52:59 Question 4: Have you seen any use of rootkits with ransomware variants?
53:30 “There is not a whole lot of need to have a rootkit with ransomware.” – Jared
56:08 Question 5: Due to the nature of legacy systems, are they still vulnerable to the four types of rootkits discussed here today?
56:30 “The one piece of good news is that commercial virtualization, especially newer products, do have some of the same protections built in that real hardware does.” – Adam
57:00 Question 6: Is there a dummy rootkit to use for PenTesting?
57:15 “I would be very careful because they are very prone to do weird things especially when you start messing with things at that level.” – Jared