Kill Chain Reloaded: Abusing legacy paths for stealth persistence

Presented at DEF CON 33 (2025), Aug. 9, 2025, 10:30 a.m. (45 minutes).

Throughout our Red Team operations, we've focused our research on advancing techniques to gain direct access to physical memory and achieve execution with the highest privileges (Kernel-mode). This talk presents the current state of the art in stealthy post-exploitation, sharing innovative approaches and refined methodologies developed over recent years. Topics include: bypassing modern EDR solutions via physical memory access primitives, physical access techniques and advanced post-exploitation techniques in Windows systems. We will demonstrate how low-level access vectors often overlooked can enable persistent, undetectable control over targeted systems. The session is tailored for cybersecurity professionals interested in cutting-edge Red Team tactics and emerging hardware/software threats. Practical demos will be included, along with tools and methodologies applicable across multiple scenarios. This is a deeply technical talk, showcasing real world tradecraft and threat modeling beyond traditional offensive security. References: - ESET. (s. f.). Machine Learning and UEFI. [link]](https://web-assets.esetstatic.com/wls/en/papers/white-papers/ESET_Machine_Learning_UEFI.pdf) - HackingThings. (s. f.). SignedUEFIShell [GitHub repository]. GitHub. [link](https://github.com/HackingThings/SignedUEFIShell/tree/main) - SOC Investigation. (2023). UEFI persistence via wpbbin: Detection & response. [link](https://www.socinvestigation.com/uefi-persistence-via-wpbbin-detection-response/) - Sophos. (2023, junio 2). Researchers claim Windows backdoor affects hundreds of Gigabyte motherboards. [link](https://news.sophos.com/en-us/2023/06/02/researchers-claim-windows-backdoor-affects-hundreds-of-gigabyte-motherboards/) - tandasat. (s. f.). WPBT-Builder [GitHub repository]. GitHub. [link](https://github.com/tandasat/WPBT-Builder?tab=readme-ov-file) - Persistence Info. (s. f.). WPBBin. [link](https://persistence-info.github.io/Data/wpbbin.html) - Unified Extensible Firmware Interface Forum. (s. f.). UEFI Revocation List File. [link](https://uefi.org/revocationlistfile) - Microsoft. (s. f.). secureboot_objects [GitHub repository]. GitHub. [link](https://github.com/microsoft/secureboot_objects) - HackingThings. (s. f.). OneBootloaderToLoadThemAll [GitHub repository]. GitHub. [link](https://github.com/HackingThings/OneBootloaderToLoadThemAll/) - Knopper, K. (s. f.). Knoppix and UEFI. [link](https://www.knopper.net/knoppix/knoppix-uefi-en.html) - br-sn. (n.d.). Removing Kernel Callbacks Using Signed Drivers. Retrieved from [link](https://br-sn.github.io/Removing-Kernel-Callbacks-Using-Signed-Drivers/) - br-sn. (n.d.). CheekyBlinder [GitHub repository]. GitHub. Retrieved from [link](https://github.com/br-sn/CheekyBlinder) - VL. (2021). Removing Process Creation Kernel Callbacks. Medium. Retrieved from [link](https://medium.com/@VL1729_JustAT3ch/removing-process-creation-kernel-callbacks-c5636f5c849f) - lawiet47. (n.d.). STFUEDR [GitHub repository]. GitHub. Retrieved from [link](https://github.com/lawiet47/STFUEDR) - hfiref0x. (n.d.). KDU (Kernel Driver Utility) [GitHub repository]. GitHub. Retrieved from [link](https://github.com/hfiref0x/KDU) - TheCruZ. (n.d.). kdmapper [GitHub repository]. GitHub. Retrieved from [link](https://github.com/TheCruZ/kdmapper) - Sophos. (2022, October 4). BlackByte ransomware returns, abuses RTCore64.sys driver to disable kernel callbacks. Sophos News. Retrieved from [link](https://news.sophos.com/en-us/2022/10/04/blackbyte-ransomware-returns/)

Presenters:

• Alejandro "0xedh" Hernando
  Red Team Operator and Security Researcher with over ten years of experience in offensive cybersecurity. Throughout his career, he has worked hands-on in assessing, exploiting and mitigating security vulnerabilities, developing proof-of-concepts, offensive and defensive tools, and conducting in-depth security research on commercial and proprietary solutions. His approach is based on a combination of applied research and real-world experience, emphasizing continuous learning and optimization of defense and attack strategies.
• Borja "borjmz" Martinez
  Computer security has been a passion for him for as long as he can remember. He is self-taught and seeks to learn something new every day, both professionally and personally. Specialist with more than 9 years of experience in pentesting, Red Team and Research, having a highly versatile profile. He is also a CTF player.

Similar Presentations:

• DEF CON 29 (2021) / Offensive Golang Bonanza: Writing Golang Malware
• DEF CON 31 (2023) / Spooky authentication at a distance
• DEF CON 32 (2024) / Defeating EDR Evading Malware with Memory Forensics