Nowadays, kernel rootkits become more popular thanks to their persistence techniques and ability to conceal malicious activity. In this talk, we will take a dive into the kernel mechanics from an offensive perspective. We will learn why, where, and how attackers manage to manipulate the kernel. Next, we will introduce Tracee, an open-source runtime security tool, that can detect those rootkits at runtime by controlling eBPF programs to do forensic research, with safe interaction in the kernel.
