Rootkit as part of defensive toolbox

[Chaoscorpz]

Hey,

Has anyone ever heard of anyone trying to use a modified rootkit in a defensive manner?

I mean, with the level of access that a rootkit gives, an IT department could have a real low level control of workstations, before someone else implants a rootkit, or other malicious software.

Couldn't IT use a rootkit as part of our toolbox against those whom would use them or other malicious software against us? It could provide a level of logging that is extremely detailed.

Thanks,

IT

 

[segment]

What your suggesting makes no sense. An IT Department should already have a HIGH LEVEL (the highest level available) to access resources. Why would you notch down to a low level state.

 

[ntco]

I agree with segment, and I almost replied with the same exact response to this post in the Security/Forensics thread.

However, I can think of two possible uses (though not likely) of a rootkit that are unrelated to your question:
1. if you've been rootkitted yourself and for whatever reason you can't reformat or get through via other methods (often though you can regain control or just get data in other ways before the reformat).

2. to test your system from the outside by trying to get in via a rootkit.