Methods and apparatuses for detecting hidden network channels of rootkit tools are described. In one embodiment, critical endpoint events detected at an endpoint computer system are selectively logged to an endpoint database. Also, critical network events associated with the endpoint computer system and detected on a network are selectively logged to a gateway database. Periodically some or all of the entries in the endpoint database are compared to entries in the gateway database. Entries detected at the network but not detected at the endpoint computer system are presumed indicative of hidden network channels of rootkit tools.