Today > 5 Critical | 8 High | 34 Medium vulnerabilities   -   You can now download lists of IOCs here!

Kernel shellcode persistence technique in APT attacks and CTF challenge

Oct. 18, 2024, 8:50 a.m.

Description

A security flaw in Windows 7 and Server 2008 R2 allows kernel shellcode to be hidden in the registry and executed during boot, despite patches. This vulnerability was exploited in a 2018 targeted attack. The SAS CTF challenge involved analyzing this technique, which uses buffer overflows in DirectX drivers to inject and execute malicious code. Participants had to reverse engineer the shellcode, decrypt a second stage payload, and analyze a keylogger that revealed the final flag. The exploit demonstrates how attackers can achieve stealthy persistence with admin privileges on older Windows systems.

Date

Published: Oct. 17, 2024, 4:16 p.m.

Created: Oct. 17, 2024, 4:16 p.m.

Modified: Oct. 18, 2024, 8:50 a.m.

Attack Patterns

T1573.002

T1014

T1056.001

T1574.001

T1547

T1055