Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

21-Feb-23

In this article, IBM Security X-Force Red offensive hackers examine how attackers with access to elevated privileges can utilise such access to set up Windows Kernel post-exploitation capabilities. Public accounts have progressively demonstrated over the past few years that less experienced attackers are employing this method to accomplish their goals.

Thus, it’s critical that we draw attention to this skill and discover more about its potential implications. In particular, we will examine how kernel post-exploitation can be utilised to disable ETW sensors in this post and connect it to malware samples found in the wild the previous year.

Read More…