Windows Rootkit Development: Python prototyping to kernel level C2

DerbyCon 7.0 - Legacy

Presented by: R.J. McDown
Date: Saturday September 23, 2017
Time: 12:00 - 12:50
Location: Track 3 - Teach Me

Red teams are always looking for new ways to persist on hosts that could potentially take several days to compromise. The necessity for reliable, stealthy persistence is highlighted when the compromised target is the initial foothold into the internal target network. Common methods and tools used to persist on compromised hosts will be briefly covered before diving into developing custom software operating at the user and kernel level. A couple of opensource projects, and their APIs, will be introduced that make it possible to interact with kernel level drivers from user-mode programs. Both, Python and C APIs are available, allowing for Python prototyping before moving to C, a compiled language. This is great for testing and researching new features, as design flaws can be worked through quicker. Lastly, a demonstration will be given of evading event logs, subverting host firewall configurations, hiding active C2 network connections from the OS, spawning arbitrary sessions (PowerShell Empire, Metasploit, etc.), and harvesting credentials from network traffic.

R.J. McDown

R.J. McDown (BeetleChunks) is a security researcher, penetration tester, and red teamer with experience assessing numerous Fortune 500 companies. In his spare time, he works on developing and researching new tools and techniques to be used on client assessments and IOCs associated with them. @BeetleChunks

R.J. McDown

R.J. McDown (BeetleChunks) is a security researcher, penetration tester, and red teamer with experience assessing numerous Fortune 500 companies. In his spare time, he works on developing and researching new tools and techniques to be used on client assessments and IOCs associated with them. @BeetleChunks


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats