Rootkits, Bootkits, and Kernel Malware
RCCE students will learn how advanced malware abuses kernel privileges, boot mechanisms, drivers, and low-level hooks to hide from security tooling and maintain deep persistence. RCCE students will learn to identify stealth techniques, investigate boot-path compromise, understand kernel tampering patterns, detect suspicious drivers, and connect low-level compromise to broader incident response workflows. The course covers practical scenarios ranging from kernel artifact review to stealth malware investigation and response planning. RCCE students will learn to analyze complex systems and think like an attacker to better defend the organization. This comprehensive course delivers practical knowledge applicable to real-world cybersecurity operations. Starting from foundational concepts, RCCE students will learn through a combination of concept explanation, practical demonstration, and hands-on exercises.
- Security Engineers building defensive controls
- Security Analysts and Blue Team members
- Systems Administrators with security responsibilities
- GRC and Risk Professionals supporting controls
- Professionals implementing Rootkits, Bootkits, and Kernel Malware
- Execute hands-on tasks for kernel malware
- Explain Course Overview fundamentals
- Execute hands-on tasks for what you will learn — covering Kernel rootkit internals and persistence, Bootkit attack chains and UEFI compromise.
- Execute hands-on tasks for course details — covering Level: Advanced | Domain: DFIR, 7 major sections, 50+ instructional slides.
- Design a scalable privilege management architecture with policy and enforcement
- Execute hands-on tasks for ring 0 (kernel) — covering Full hardware access.
- Execute hands-on tasks for ring 3 (user) — covering Application isolation.
- Execute hands-on tasks for kernel memory layout — covering Transition gate: Ring 3 to Ring 0.
- Execute hands-on tasks for ring 0 — kernel mode
- Execute hands-on tasks for ring 1 — device drivers
- Execute hands-on tasks for ring 3 — user applications
- Execute hands-on tasks for legacy bios boot — covering POST > MBR > VBR > Bootloader, MBR at sector 0 (512 bytes).
| Module 01 | Kernel Malware |
| Module 02 | Course Overview |
| Module 03 | What You Will Learn |
| Module 04 | Course Details |
| Module 05 | Kernel Architecture Fundamentals |
| Module 06 | Ring 0 (Kernel) |
| Module 07 | Ring 3 (User) |
| Module 08 | Kernel Memory Layout |
| Module 09 | Ring 0 — Kernel Mode |
| Module 10 | Ring 1 — Device Drivers |
| Module 11 | Ring 3 — User Applications |
| Module 12 | Legacy BIOS Boot |
| Module 13 | POST > MBR > VBR > Bootloader |
| Module 14 | UEFI Boot Path |
All hands-on labs run on Rocheston Rose X OS. Students practice rootkits, bootkits, and kernel malware by implementing the controls discussed in class, with a focus on real-world deployment, monitoring, and validation.
- Lab 1: Execute hands-on tasks for kernel malware
- Lab 2: Explain Course Overview fundamentals
- Lab 3: Execute hands-on tasks for what you will learn
- Lab 4: Execute hands-on tasks for course details
- Lab 5: Design a scalable privilege management architecture with policy and enforcement
Upon successful completion of this course, students will receive an official RCCE Course Completion Certificate for Rootkits, Bootkits, and Kernel Malware, verifiable through the Rocheston certification portal.
- Full access to all course materials and slide decks
- Hands-on lab access on Rocheston Rose X OS environment
- Access to Rocheston CyberNotes
- Access to Rocheston Zelfire — EDR/XDR SIEM platform
- Access to Rocheston Raven — online cyber range exercise platform
- Access to Rocheston Vulnerability Vines AI