InfoconDB

Presented at Black Hat USA 2022, Aug. 11, 2022, 3:20 p.m. (40 minutes)

From 2017 to 2021, Microsoft disclosed a total of 28 in-the-wild Windows LPE 0days, most of which are Windows kernel LPE vulnerabilities. These vulnerabilities are often used by top level APT and could cause great harm. For security vendors, it is very challenging to capture an in-the-wild Windows kernel LPE 0day.

At the beginning of 2020, we made a decision to capture an in-the-wild Windows kernel LPE 0day. In order to achieve it, we studied a large number of historical cases. We then developed an effective Windows LPE vulnerability detection method.

This talk will focus on our story of how to hunt in-the-wild Windows LPE during 2020 and 2021: why we think this is possible, how we study historical cases, how we use learning experience to develop a detection method, and how we continuously improve the method to make it more accurate and effective. By using this method, we successfully captured two in-the-wild Windows LPE 0day and an in-the-wild Windows LPE 1day.

We will also compare the advantages and disadvantages of our method with other vendors' methods, and give some insights into the trend of Windows LPE 0day in the future.

Presenters:

Quan Jin - Security Research Expert, DBAPPSecurity
Quan Jin is a security research expert from DBAPPSecurity. He previously worked on the Qihoo 360 Advanced Threat Response Team. He has received more than 35 CVE acknowledgments from Microsoft. He's at 19 in the 2021 MSRC Most Valuable Security Researcher List. He and his team had captured several in-the-wild 0days on windows platform. He once spoke at BlueHat Shanghai 2019 and HITB2021AMS.

The Journey of Hunting In-the-Wild Windows LPE 0day

Presenters:

Links:

Similar Presentations: