Rootkit detection methods are techniques used to identify software that has been designed to hide its presence and maintain persistent, privileged access to a compromised system. Rootkits operate at various levels of the system stack including user-mode, kernel-mode, bootkits that infect the boot process, and firmware-level implants. Because rootkits subvert the operating system's own reporting mechanisms, detection requires approaches that operate outside or below the rootkit's level of control.
Cross-view detection compares results from the operating system's APIs with direct examination of underlying data structures. For example, comparing the process list reported by the Windows API with the kernel's process linked list reveals hidden processes. Integrity checking compares current system state against known-good baselines: system file hashes, kernel module lists, interrupt descriptor tables, and system service dispatch tables (SSDT). Memory forensics tools like Volatility can detect rootkits by analyzing raw memory dumps outside the compromised operating system's control. Behavioral detection identifies rootkit-like activity such as API hooking, direct kernel object manipulation (DKOM), and inline function patching. Boot-level detection uses UEFI Secure Boot verification and measured boot with TPM attestation. Specialized tools include GMER, Rootkit Revealer, chkrootkit, and rkhunter.
Rootkits represent one of the most dangerous classes of malware because they undermine the fundamental trust relationship between security tools and the operating system. A system compromised by a kernel rootkit cannot reliably report its own state, making detection from within the compromised OS unreliable. Rootkits enable long-term persistent access used by APT groups for espionage and by criminal organizations for sustained data theft. Failure to detect and remove rootkits during incident response leads to re-compromise after supposedly clean systems are returned to production.
CDA addresses rootkit detection in the TID and SPH domains, with dedicated missions in C-HARDEN and C-DRILL campaigns. Our methodology emphasizes external validation over internal system queries, using memory forensics and trusted boot verification as primary detection mechanisms. CDA operators are trained to assume that a compromised system's self-reported state is unreliable until verified through independent means.