Close Encounters of the Advanced Persistent Kind - Leveraging Rootkits for Post-Exploitation

Explore a full-chain Windows kernel post-exploitation scenario in this 38-minute Black Hat conference talk. Discover how a Windows 0-day vulnerability can be weaponized to load a kernel rootkit, and learn about leveraging Direct Kernel Object Manipulation (DKOM) to dynamically alter OS telemetry and sensor visibility, rendering endpoint security solutions ineffective. Delve into advanced attacks, including the use of Network Driver Interface Specification (NDIS) modules to disrupt EDR cloud telemetry, establish covert persistence channels, and directly read memory-resident keyboard states in the Kernel for high-performance global keylogging. Presented by Ruben Boonen and Valentina Palmiotti, this talk offers valuable insights into advanced persistent threats and post-exploitation techniques.