{"id":10803,"date":"2023-03-07T09:40:18","date_gmt":"2023-03-07T09:40:18","guid":{"rendered":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/?post_type=session&#038;p=10803"},"modified":"2023-05-19T10:36:31","modified_gmt":"2023-05-19T10:36:31","slug":"commsec-lab-developing-malicious-kernel-drivers","status":"publish","type":"session","link":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/commsec-lab-developing-malicious-kernel-drivers\/","title":{"rendered":"COMMSEC LAB: Developing Malicious Kernel Drivers"},"content":{"rendered":"<p><a href=\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/materials\/D2%20COMMSEC%20LAB%20-%20Developing%20Malicious%20Kernel%20Drivers%20-%20Tijme%20Gommers%20&amp;%20Jaan-Jaap%20Korpershoek.pdf\">LAB SLIDES \/ MATERIALS (PDF)<\/a><\/p>\n<hr \/>\n<p style=\"text-align: justify;\">You know what really grinds my gears? Having everything thought out for a red team action, and then be detected by modern EDR. Especially when simulating APTs and staying unobtrusive in the network for extended periods of time. Over the years we\u2019ve moved from PowerShell one-liners to LOLBINS, from LOLBINS to C#-malware, and finally we&#8217;ve utilised direct syscalls. Somehow it still feels like modern EDR is chewing the scenery.<\/p>\n<p style=\"text-align: justify;\">Kernel driver abuse is an existing but less known technique that offers opportunity to remain undetected, while infiltrating organisations for extended periods of time. For example, InvisiMole actively abuses BYOVD in the war in Ukraine. If you manage to load or exploit a kernel driver, nothing but relaxation awaits you, with a beer in your left hand and your C2 in your right. But loading or exploiting one poses several technical challenges, apart from all the knowledge required to work with kernel drivers. Obtaining that knowledge seems difficult. However, the road to kernel driver exploitation is not that long.<\/p>\n<p style=\"text-align: justify;\">This lan is for those we\u2019ve heard about the Windows Kernel and want to learn more about it. We\u2019ll dive into the concepts of computer architecture, drivers, user and kernel mode, and kernel exploits. <strong>The best part is that you\u2019ll learn to exploit and develop your first malicious kernel driver. <\/strong><\/p>\n<p style=\"text-align: justify;\">For this lab, you will need:<\/p>\n<ul>\n<li>Windows 10 VM<\/li>\n<li>Sysinternal Suite (<a href=\"https:\/\/download.sysinternals.com\/files\/SysinternalsSuite.zip\">https:\/\/download.sysinternals.com\/files\/SysinternalsSuite.zip<\/a>)<\/li>\n<li>WinDBG (<a href=\"https:\/\/learn.microsoft.com\/en-us\/windows-hardware\/drivers\/debugger\/debugger-download-tools\">https:\/\/learn.microsoft.com\/en-us\/windows-hardware\/drivers\/debugger\/debugger-download-tools<\/a>)<\/li>\n<li>Visual Studio Build Tools to compile C code. Select \u201cDesktop Development with C++\u201d on installation (<a href=\"https:\/\/visualstudio.microsoft.com\/downloads\/?q=build+tools#tools-for-visual-studio-2022-family\">https:\/\/visualstudio.microsoft.com\/downloads\/?q=build+tools#tools-for-visual-studio-2022-family<\/a>)<\/li>\n<li>IDA free (<a href=\"https:\/\/hex-rays.com\/ida-free\/#download\">https:\/\/hex-rays.com\/ida-free\/#download<\/a>)<\/li>\n<\/ul>\n","protected":false},"template":"","class_list":["post-10803","session","type-session","status-publish","hentry"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v23.3 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>COMMSEC LAB: Developing Malicious Kernel Drivers - HITBSecConf2023 - Amsterdam<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/commsec-lab-developing-malicious-kernel-drivers\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"COMMSEC LAB: Developing Malicious Kernel Drivers - HITBSecConf2023 - Amsterdam\" \/>\n<meta property=\"og:description\" content=\"LAB SLIDES \/ MATERIALS (PDF) You know what really grinds my gears? Having everything thought out for a red team action, and then be detected by modern EDR. Especially when simulating APTs and staying unobtrusive in the network for extended periods of time. Over the years we\u2019ve moved from PowerShell one-liners to LOLBINS, from LOLBINS [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/commsec-lab-developing-malicious-kernel-drivers\/\" \/>\n<meta property=\"og:site_name\" content=\"HITBSecConf2023 - Amsterdam\" \/>\n<meta property=\"article:modified_time\" content=\"2023-05-19T10:36:31+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/commsec-lab-developing-malicious-kernel-drivers\/\",\"url\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/commsec-lab-developing-malicious-kernel-drivers\/\",\"name\":\"COMMSEC LAB: Developing Malicious Kernel Drivers - HITBSecConf2023 - Amsterdam\",\"isPartOf\":{\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/#website\"},\"datePublished\":\"2023-03-07T09:40:18+00:00\",\"dateModified\":\"2023-05-19T10:36:31+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/commsec-lab-developing-malicious-kernel-drivers\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/commsec-lab-developing-malicious-kernel-drivers\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/commsec-lab-developing-malicious-kernel-drivers\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Session\",\"item\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"COMMSEC LAB: Developing Malicious Kernel Drivers\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/#website\",\"url\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/\",\"name\":\"HITBSecConf2023 - Amsterdam\",\"description\":\"#HITB2021AMS\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"COMMSEC LAB: Developing Malicious Kernel Drivers - HITBSecConf2023 - Amsterdam","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/commsec-lab-developing-malicious-kernel-drivers\/","og_locale":"en_US","og_type":"article","og_title":"COMMSEC LAB: Developing Malicious Kernel Drivers - HITBSecConf2023 - Amsterdam","og_description":"LAB SLIDES \/ MATERIALS (PDF) You know what really grinds my gears? Having everything thought out for a red team action, and then be detected by modern EDR. Especially when simulating APTs and staying unobtrusive in the network for extended periods of time. Over the years we\u2019ve moved from PowerShell one-liners to LOLBINS, from LOLBINS [&hellip;]","og_url":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/commsec-lab-developing-malicious-kernel-drivers\/","og_site_name":"HITBSecConf2023 - Amsterdam","article_modified_time":"2023-05-19T10:36:31+00:00","twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/commsec-lab-developing-malicious-kernel-drivers\/","url":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/commsec-lab-developing-malicious-kernel-drivers\/","name":"COMMSEC LAB: Developing Malicious Kernel Drivers - HITBSecConf2023 - Amsterdam","isPartOf":{"@id":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/#website"},"datePublished":"2023-03-07T09:40:18+00:00","dateModified":"2023-05-19T10:36:31+00:00","breadcrumb":{"@id":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/commsec-lab-developing-malicious-kernel-drivers\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/commsec-lab-developing-malicious-kernel-drivers\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/commsec-lab-developing-malicious-kernel-drivers\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/"},{"@type":"ListItem","position":2,"name":"Session","item":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/"},{"@type":"ListItem","position":3,"name":"COMMSEC LAB: Developing Malicious Kernel Drivers"}]},{"@type":"WebSite","@id":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/#website","url":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/","name":"HITBSecConf2023 - Amsterdam","description":"#HITB2021AMS","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/wp-json\/wp\/v2\/session\/10803"}],"collection":[{"href":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/wp-json\/wp\/v2\/session"}],"about":[{"href":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/wp-json\/wp\/v2\/types\/session"}],"wp:attachment":[{"href":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/wp-json\/wp\/v2\/media?parent=10803"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}