Hunting kernel rootkits with eBPF

Track 1 - Jungle

Thu, 30 Jun 2022 @ 11:20:00

Nowadays, kernel rootkits become more popular thanks to their persistence techniques and ability to conceal malicious activity. In this talk, we will take a dive into the kernel mechanics from an offensive perspective. We will learn why, where, and how attackers manage to manipulate the kernel. Next, we will introduce Tracee, an open-source runtime security tool, that can detect those rootkits at runtime by controlling eBPF programs to do forensic research, with safe interaction in the kernel.