We can't find the internet
Attempting to reconnect
Something went wrong!
Hang in there while we get back on track
Close Encounters of the Advanced Persistent Kind: Leveraging Rootkits for Post-Exploitation
Leverage rootkits for post-exploitation tactics, exploiting vulnerable drivers, feature flags, and page swapping techniques to evade detection and maintain control.
- Vulnerable drivers can be used as a gateway for post-exploitation tactics such as rootkits, keyloggers, and network filtering.
- Signing vulnerable drivers with expired certificates can facilitate the loading of rootkits without arousing suspicion.
- Feature flags are toggles that can be set by a component of Windows, allowing experimentation with new features and testing capabilities.
- Page swapping techniques, which rely on the virtualization layer, can be used for remote code execution and kernel persistence.
- To evade detection, attackers often prioritize subtle manipulation of telemetry data instead of full elimination.
- Virtualization-based security measures can mitigate some of these threats, but they require specific hardware capabilities and are not foolproof.
- Even without kernel code execution, certain advanced post-exploitation tactics like direct kernel object manipulation and system call hijacking are feasible.
- Rootkits, being advanced post-exploitation tactics, are often used by state-sponsored attackers, whereas ransomware operators use different tactics.
- To maintain control, attackers may use techniques such as covert persistence, traffic relaying, or even create new vulnerabilities by experimenting with feature flags and bug discoveries.
- In some cases, vulnerable drivers can be used to directly communicate with the kernel, bypassing signature validation and patching.
- SSDT pager mapping can be employed for subtle manipulation of system calls and execution without being detected by PatchGuard.