Andrew Case gave this talk in May 2023 at the Volexity Cyber Sessions.
Over the last several years, Microsoft has added many new security features aimed at disrupting kernel level malware. These include enabling Driver Signing Enforcement by default, greatly updating Patch Guard, and adding significant new logging capabilities related to kernel level code. As usual, rootkit developers adapted to these changes so that they could still load code into the kernel and maintain system control – all while evading the latest versions of Patch Guard. This talk walks through the mostly commonly observed examples of these techniques, including those used by a variety of APT groups. A mix of event log analysis and memory forensics will be used to showcase methods that automatically detect techniques deployed by modern rootkits.