Tijme Gommers

Tijme is Product Lead Adversary Simulation in a red team. In his role, he facilitates red team operators with the tools needed to simulate APT’s as accurately as possible. He spends most of his time on cyber security research. Over the past years, this research mainly focused on Adversary Tactics and Red Team Operations. Furthermore, with his polyglot software engineering background, he works on the development of current exploit code and malware, used to simulate APT’s penetrating target organisations. One of his latest projects is KernelMii , an open-source Cobalt Strike (CS) Beacon Object File (BOF) for kernel exploitation.


Sessions

12-09
13:55
45min
Elevate & Conquer: A Journey Into Kernel Exploitation
Tijme Gommers

Bring Your Own Vulnerable Driver (BYOVD) has become an extremely popular attack technique seen in the wild. Even ransomware groups are using it to blind Endpoint Detection & Response (EDR), dump protected credentials from memory, erase their own traces, and all sorts of other juicy things you can do in the Windows kernel. But why bring your own vulnerable driver when you can use those already installed?

In this talk we’ll share our journey of exploiting a critical zero-day vulnerability that we found VPN software, used by more than 40.000 organisations world-wide. After a recap on kernel drivers, we’ll reveal how anyone in the audience can find vulnerabilities like these on live systems. Furthermore, we’ll share our abuse path to exploit the vulnerability. We'll reveal several techniques you can use to overcome typical restrictions when exploiting kernel drivers. We’ll show you how we applied these techniques to build an exploit that we use in red teaming engagements. Lastly, we demo the exploitation of the vulnerability on a target system, resulting in SYSTEM privileges.

The talk is accompanied by the first-hand public release of the exploit, in the form of a Cobalt Strike (CS) Beacon Object File (BOF). Additionally, we’ll publish a blog post that includes all technical details.

Track 2