Exploring Rootkits
Sep 26, 2025
Note: This is a theory/conceptual discussion — not a how-to. Don’t go do illegal stuff.
Googling “rootkit” often returns definitions like “gives remote access to the computer” and “malicious software code”— terms that apply to much malware.
So, how do we define exactly what a rootkit is?
What is a Rootkit
According to the book Rootkits: Subverting the Windows Kernel by Greg Hoglund and James Butler (2005), a rootkit is “a set of programs and code that allows a permanent and undetectable presence on a computer.”
Based on this definition, we should ask: Which programs and code do rootkits target?
This’ll require a bit of a dive into the hardware side of things, but don’t feel like Alice in Wonderland yet.
Feel free to look at:
"History of Operating System & Kernel" for a brief history lesson on the Windows Operating System.
There are also a few key terms I want you to consider as we read: persistence, stealth, and surveillance.
Types of Rootkits
We’ll focus on two in this article (for simplicity's sake): user-mode rootkits and kernel-mode rootkits.
Where Do Rootkits Operate
Rootkits are pretty scary because they can operate at different system levels.
Remember the Pyramid of Pain, created by security professional David J. Bianco in 2013.
Rootkits rank at, if not near, the very top of the Tactics, Techniques, and Procedures (TTPs) pyramid. As analysts, we must go beyond simply identifying obvious indicators, such as suspicious IP addresses or file hashes.
Instead, we need to develop the skillset to identify sophisticated (and varying methods) that attackers can use to install rootkits on a system. Taking a look at MITRE ATT&CK’s Rootkit, Technique T1014, reveals the various attacks that threat actor groups employ to achieve their goal of persistence.
I hate to cut this short, but I’ll continue discussing rootkits in the next blog post.