Close Encounters of the Advanced Persistent Kind: Leveraging Rootkits for Post-Exploitation

...Our presentation will explore a full-chain Windows kernel post-exploitation scenario, where we discovered and weaponized a Windows 0-day vulnerability to load our kernel rootkit. Once loaded, we will demonstrate how Direct Kernel Object Manipulation (DKOM) can be utilized to dynamically alter OS telemetry/sensor visibility, thereby rendering endpoint security solutions ineffective. Additionally, we will showcase a number of advanced attacks, such as employing Network Driver Interface Specification (NDIS) modules to disrupt EDR cloud telemetry or establish covert persistence channels or directly …

0-day vulnerability advanced can endpoint endpoint security endpoint security solutions exploitation kernel kind manipulation object persistent post-exploitation presentation rootkit rootkits scenario security security solutions sensor solutions telemetry visibility vulnerability windows windows 0-day windows kernel