Close Encounters of the Advanced Persistent Kind: Leveraging Rootkits for Post Exploitation

presentation will explore a fullchain Windows kernel postexploitation scenario, where we discovered and weaponized a Windows 0day vulnerability to load our kernel rootkit. Once loaded, we will demonstrate how Direct Kernel Object Manipulation (DKOM) can be utilized to dynamically alter OS telemetry, sensor visibility, thereby rendering endpoint security solutions ineffective. Additionally, we will showcase a number of advanced attacks, such as employing Network Driver Interface Specification (NDIS) modules to disrupt EDR cloud telemetry or establish covert persistence channels or directly read memoryresident keyboard states in the Kernel for highperformance global By: Ruben Boonen, Valentina Palmiotti Full Abstract and Presentation Materials: