Close Encounters of the Advanced Persistent Kind: Leveraging Rootkits for Post-Exploitation

...Our presentation will explore a full-chain Windows kernel post-exploitation scenario, where we discovered and weaponized a Windows 0-day vulnerability to load our kernel rootkit. Once loaded, we will demonstrate how Direct Kernel Object Manipulation (DKOM) can be utilized to dynamically alter OS telemetry/sensor visibility, thereby rendering endpoint security solutions ineffective. Additionally, we will showcase a number of advanced attacks, such as employing Network Driver Interface Specification (NDIS) modules to disrupt EDR cloud telemetry or establish covert persistence channels or directly read memory-resident keyboard states in the Kernel for high-performance global keylogging....

By: Ruben Boonen , Valentina Palmiotti

Full Abstract and Presentation Materials: https://www.blackhat.com/us-23/briefi...