Handout B: Rootkit Forensic Artifacts

Large group equivalent: This handout maps to artifact cards A-R23-1 + part of C-R1-2.

Hardware-assisted memory enumeration report from HANSEN-SAP-01 completed by security specialist at BioGenix Solutions, 2026-04-16 08:32:14 UTC.

HANSEN-SAP-01 Memory Forensics Output
Type: Hardware-assisted memory enumeration report  Source: Security specialist memory scan, HANSEN-SAP-01, 2026-04-16 08:32:14 UTC
Memory Scan Report β€” HANSEN-SAP-01
Scan Method: Hardware-Assisted Enumeration (Hypervisor DKOM check) Timestamp: 2026-04-16 08:32:14 UTC Installed CaliSyncPro version: v4.2.0 (released 2025-11-18)
vol3 -f HANSEN-SAP-01.mem windows.hidden_modules
Module at 0xFFFFF80012A40000 Size: 147,456 bytes Signing Certificate: CaliSync Instrumentation GmbH (SN 4A9F02B1C3D7E8F6) Certificate Status: VALID Hook: NtQuerySystemInformation
vol3 -f HANSEN-SAP-01.mem windows.pslist --diff hardware
Standard tasklist.exe: 87 processes Hardware enumeration: 92 processes PID 4028: svchost.exe ESTABLISHED 203.0.113.44:443 [ACTIVE] PID 4032: lsass.exe Injected thread (0xFFFFF80012A40000+0x2400) PID 4036: svchost.exe File I/O: \\GenixLibrary\* (recursive) PID 4040: System Kernel thread (watchdog, 30-sec interval) PID 4100: svchost.exe Disk I/O: \\.\PhysicalDrive0\Partition4 (hidden)

IM NOTES (Do Not Show to Players):

  • The DKOM technique (hooking NtQuerySystemInformation) explains why all prior disk scans returned clean – the rootkit intercepted OS queries before they could reveal its presence. Hardware enumeration bypasses the OS entirely.
  • The certificate is valid and the kernel module is signed – the rootkit shipped inside a legitimately-signed update. The vendor’s build pipeline was compromised, not the certificate.
  • PID 4028 has an ACTIVE C2 connection right now. Isolating HANSEN-SAP-01 will drop this channel, but the kernel driver and process tree remain in memory. Memory image and driver artifact must be captured before isolation or reimaging – this is what CFCS needs for attribution.
  • HANSEN-SAP-01 was excluded from SOC monitoring as a decommission-backlog system. The external CFCS tip-off was the only trigger that led to discovery – no internal detection fired.

IM Facilitation Notes

  • Release when participants ask for technical evidence from HANSEN-SAP-01 or ask why disk scans were clean.
  • Use this handout to drive discussion on kernel-level persistence, decommissioning backlog risk, and memory-based vs disk-based detection.
  • If participants move straight to isolation, prompt: the C2 channel is live. What forensic artifacts need preserving before you cut the connection?