June 9, 2022

A userland rootkit is pretty weak. There are some easy ways to detect it. The simplest is to just use a staticky linked binary, like busybox, rather than the utilities on the compromised box. Honestly, I thought this was standard practise, so I’m a bit surprised that a userland rootkit can defeat live forensics.

Read →