Challenge 06 • Rootkit & Kernel Attack Detection

Understanding Rootkits & Kernel Attacks

Rootkits are malicious software designed to hide their presence and the presence of other malware by manipulating the operating system at the kernel level. They are among the most dangerous threats because they operate with highest privileges and can evade traditional detection methods.

⚠️ Why Rootkits are Extremely Dangerous

Kernel Privileges: Run with Ring 0 access - complete control over the system

Stealth: Hide processes, files, network connections, and even themselves

Persistence: Survive reboots by loading at boot time via kernel modules

Detection Evasion: Can manipulate tools like ps, ls, netstat to hide evidence

Data Theft: Intercept passwords, keystrokes, network traffic at kernel level

🔧 Kernel Modules (LKMs - Loadable Kernel Modules)

Purpose: Extend kernel functionality without recompiling (device drivers, filesystems)

Legitimate Use: Hardware drivers, VPNs, security modules

Malicious Abuse: Rootkits load as kernel modules to hook system calls and hide activity

File Extension: .ko (kernel object) - e.g., evil_module.ko

📄 /var/log/kern.log

Purpose: Records kernel-level events including module loads, hardware events, crashes

Critical Indicators: insmod/modprobe commands, module initialization, kernel warnings

What to Look For: Unsigned modules, unusual module names, modules loaded from /tmp

💻 dmesg (Diagnostic Message)

Purpose: Kernel ring buffer containing recent kernel messages

Advantage: Can't be easily cleared by rootkits (requires kernel access)

Contains: Boot messages, hardware detection, driver errors, security warnings

Rootkit Detection Techniques

🚨 Process Hiding Detection

Compare ps output vs /proc filesystem
Hidden processes have /proc/[PID] but not in ps
Look for gaps in PID sequence
Check process parent-child relationships
Use unhide or unhide-tcp tools

📂 File Hiding Detection

Compare ls vs direct /proc access
Check for missing files in directory count
Use stat vs ls to find hidden files
Examine inode inconsistencies
Boot from live CD for clean view

🔌 Kernel Module Analysis

lsmod - list loaded modules
modinfo - module details
Check /sys/module/ directory
Verify module signatures
Look for modules without source

🛡️ Syscall Hooking Detection

Check /proc/kallsyms for hooks
Compare syscall table addresses
Use tools: chkrootkit, rkhunter
Memory forensics (Volatility)
Kernel integrity checking

Investigation Commands

# List loaded kernel modules
lsmod

# Get module details
modinfo module_name

# Check kernel messages
dmesg | tail -50

# Compare process lists
ls /proc | grep -E '^[0-9]+$' | wc -l # Actual processes
ps aux | wc -l # What ps shows (may be less if hiding)

# Check for rootkit signatures
chkrootkit
rkhunter --check

🚨 Critical Warning: Rootkit-infected systems should NOT be trusted for remediation. Always perform forensics from a clean boot environment (live CD/USB) or trusted external system. Never trust tools on a compromised system - they may be modified by the rootkit.

Evidence Review

📄 /var/log/kern.log Click lines to tag as evidence

💻 dmesg (Kernel Ring Buffer)

🔧 lsmod (Loaded Modules)

⚠️ Process Comparison (ps vs /proc)

📌 Evidence Locker

No evidence tagged yet. Click log lines to add them.

Interactive Terminal

Run bash commands to analyze the logs. Available: cat, grep, lsmod, dmesg, wc, awk, ls, clear, help

analyst@blueteam:~$ Terminal ready. Type 'help' for available commands.

analyst@blueteam:~$

Investigation Tasks

Tasks Completed: 0 / 12

Task 1 — Malicious Kernel Module Name

✓ Correct Answer:

diamorphine

The module "diamorphine" appears in kern.log and lsmod output. Diamorphine is a real open-source LKM rootkit that hides processes, files, and provides backdoor access. Look for it in the module loading logs.

Task 2 — Module Load Timestamp

✓ Correct Answer:

Nov 28 03:15:22

kern.log shows: "Nov 28 03:15:22 kernel: [diamorphine] Module loaded successfully" - This is when the rootkit was activated.

Task 3 — Module File Location

✓ Correct Answer:

/tmp/diamorphine.ko

kern.log indicates the module was loaded from /tmp/diamorphine.ko - suspicious because legitimate modules are in /lib/modules/. /tmp is writable by all users and not a standard module location.

Task 4 — Number of Hidden Processes

✓ Correct Answer:

Process comparison shows: /proc has PIDs 8934, 8967, 9012 but they don't appear in ps aux output. The rootkit is hiding 3 malicious processes.

Task 5 — Hidden Process PID (any one)

✓ Correct Answer:

8934

Valid answers: 8934, 8967, or 9012. These PIDs exist in /proc but are hidden from ps by the rootkit's syscall hooks. 8934 is the first hidden process.

Task 6 — Kernel Symbol Table File

✓ Correct Answer:

/proc/kallsyms

/proc/kallsyms contains kernel symbols and their addresses. Rootkits manipulate this to hook syscalls. Forensic analysis mentions checking this file for hooked functions.

Task 7 — Hooked System Call

✓ Correct Answer:

getdents

dmesg shows "syscall hook detected: getdents" - getdents (get directory entries) is used by ls to list files. Hooking it allows hiding files and directories.

Task 8 — Module Reference Count

✓ Correct Answer:

lsmod output shows diamorphine with "Used by" count of 0. Rootkits often set this to 0 to allow unloading and evade detection. Some even make themselves appear unused.

Task 9 — Module Signature Status

✓ Correct Answer:

unsigned

kern.log warning: "Loading unsigned kernel module: diamorphine" - Legitimate modules are signed by the distribution. Unsigned modules are suspicious and indicate potential malware.

Task 10 — Magic String for Hiding (if found in logs)

✓ Correct Answer:

diam0rph

dmesg shows: "Process hide string: diam0rph" - Diamorphine hides processes/files containing this string in their name. This is the "magic" prefix used by the rootkit.

Task 11 — Backdoor Port Number

✓ Correct Answer:

64766

dmesg reveals: "Backdoor listening on port 64766" - Diamorphine includes a magic packet backdoor that grants root access when a special packet is sent to this port.

Task 12 — MITRE ATT&CK Technique ID

✓ Correct Answer:

T1014

T1014 = Rootkit. This technique involves deploying rootkits to hide malware, processes, files, and network connections at the kernel level. Diamorphine is a classic LKM rootkit example.

XP: 0 / 1200

Attack Analysis & Incident Summary

This section auto-fills once all tasks are completed correctly.

Rootkit Infection Chain

Complete all tasks to reveal the rootkit infection chain.

Incident Summary

Threat type: —
Rootkit name: —
Module location: —
Load time: —
Hidden processes: —
Hooked syscall: —
Module status: —
Magic string: —
Backdoor port: —
MITRE ATT&CK: —

Recommended Remediation

Immediate: ISOLATE SYSTEM - Do NOT trust any tools on infected host. Boot from clean media.
Forensics: Memory dump for analysis, disk imaging, preserve logs externally, document IOCs
Removal: Remove diamorphine module (rmmod), check for persistence (rc.local, systemd), scan for additional malware
Recovery: Rebuild from known good backup, reinstall OS if persistence unclear, rotate all credentials
Prevention: Enable kernel module signing enforcement, implement UEFI Secure Boot, use integrity monitoring (AIDE), regular kernel updates

Why This Attack Succeeded

The rootkit infection succeeded because:
1. Kernel module signing enforcement was disabled (unsigned modules allowed)
2. Attacker had root access to load kernel modules (insmod command)
3. No integrity monitoring (AIDE/Tripwire) to detect kernel changes
4. Missing rootkit detection tools (chkrootkit, rkhunter)
5. No kernel lockdown or secure boot enabled

Detection Bypassed

The rootkit evaded detection by:
• Hooking getdents() syscall to hide files from ls
• Hooking readdir() to hide from directory listings
• Manipulating /proc to hide processes from ps, top, htop
• Setting module reference count to 0 to appear unused
• Operating entirely in kernel space (no userland footprint)

🛡️ Challenge 06 • Rootkit & Kernel Attack Detection

Mission Brief

Available Artifacts

Learning Objectives

Understanding Rootkits & Kernel Attacks

⚠️ Why Rootkits are Extremely Dangerous

🔧 Kernel Modules (LKMs - Loadable Kernel Modules)

📄 /var/log/kern.log

💻 dmesg (Diagnostic Message)

Rootkit Detection Techniques

🚨 Process Hiding Detection

📂 File Hiding Detection

🔌 Kernel Module Analysis

🛡️ Syscall Hooking Detection

Investigation Commands

Evidence Review

Interactive Terminal

Investigation Tasks

Attack Analysis & Incident Summary

Rootkit Infection Chain

Incident Summary

Recommended Remediation

Why This Attack Succeeded

Detection Bypassed