CERT Sekoia published a document to provide an overview of the kernel mechanisms and a tech guide on how to handle a rootkit analysis. This document intends to share reverse engineering best practices in order to help organization in their daily security job.
This publication is based on a rootkit discovered by ESET and developed by a well-known APT actor identified as Sednit (aka APT28, Fancy Bear, Sofacy, STRONTIUM, Tsar Team…). For your information, the ESET publication can be downloaded there. This group seems to be the author of several major media hacks such as the attack of the German parliament in December 2014 or the compromise of TV5Monde in April 2015.
CERT Sekoia chose this sample because it is available for beginners:
The document describes how to deal with rootkit analysis step by step:
The purpose is to provide a tutorial of the “state of the art” of rootkit analysis on modern x64 Windows systems.
You can download our document in the pdf format there.
We love feedbacks, so don’t be afraid to contact us for questions or other purposes!
Sekoia is creating solutions for cyber-risk prevention and cyber-attack response. Since 2008, Sekoia is developing know-hows and technologies in order to address emerging risks faced by companies in the cyber-space.