® 
Rootkit
Definition
A rootkit is a type of malware that hides itself in the operating system and gives an attacker undetected, persistent access to a system.
A rootkit is a type of malware that hides deep within the operating system and gives an attacker undetected, permanent access to a compromised system. Rootkits manipulate the operating system itself to conceal their presence from security software and system administrators.
How does a rootkit work?
Rootkits operate at the deepest level of the operating system. They modify kernel modules, system calls and OS functions to hide themselves and other malware. When an administrator queries a process list or antivirus scans the file system, the rootkit intercepts these requests and filters its own processes, files and network connections from the results.
Types of rootkits
Kernel rootkits operate at kernel level and are hardest to detect. Bootkits infect the bootloader or MBR and load before the OS, bypassing OS security mechanisms. Firmware rootkits embed in hardware firmware such as BIOS/UEFI and survive OS reinstallation. User-mode rootkits operate at application level. Hypervisor rootkits create a virtual layer beneath the OS.
Impact on organisations
Rootkits are particularly dangerous because they provide long-term undetected access. APT groups use rootkits to maintain persistence. Traditional antivirus cannot reliably detect rootkits because the rootkit manipulates scanner output.
Protection
Use EDR solutions with kernel-level monitoring. Implement Secure Boot and UEFI security to prevent bootkits. Perform regular integrity checks on critical system files. For suspected rootkits: offline analysis from external media. Memory dump analysis can identify active rootkits.
How DEFION helps
DEFION performs compromise assessments specifically searching for rootkit indicators and long-term compromises. The DFIR team has experience with rootkit detection and removal in complex incidents.