No announcement yet.

Omri Misgav - Running Rootkits Like A Nation-State Hacker

  • Filter
  • Time
  • Show
Clear All
new posts

  • Omri Misgav - Running Rootkits Like A Nation-State Hacker

    Omri Misgav - Running Rootkits Like A Nation-State Hacker

    Omri Misgav, CTO, Security Research Group Fortinet, He/Him
    Presentation Title: Running Rootkits Like A Nation-State Hacker
    Length of presentation: 20 minutes
    Demo, Tool

    Code Integrity is a threat protection feature first introduced by Microsoft over 15 years ago. On x64-based versions of Windows, kernel drivers must be digitally signed and checked each time they are loaded into memory. This is also referred to as Driver Signature Enforcement (DSE).

    The passing year showed high-profile APT groups kept leveraging the well-known tampering technique to disable DSE on runtime. Meanwhile, Microsoft rolled out new mitigations: driver blocklists and Kernel Data Protection (KDP), a new platform security technology for preventing data-oriented attacks.

    Since using blocklist only narrows the attack vector, we focused on how KDP was applied in this case to eliminate the attack surface.

    We found two novel data-based attacks to bypass KDP-protected DSE, one of which is feasible in real-world scenarios. Furthermore, they work on all Windows versions, starting with the first release of DSE. We’ll present each method and run them on live machines.

    We’ll discuss why KDP is an ineffective mitigation. As it didn’t raise the bar against DSE tampering, we looked for a different approach to mitigate it. We’ll talk about how defenders can take a page out of attackers’ playbook to cope with the issue until HVCI becomes prevalent and really eliminates this attack surface.


    Omri has over a decade of experience in cyber-security. He serves as the CTO of a security research group at Fortinet focused on OS internals, malware and vulnerabilities and spearheads development of new offensive and defensive techniques. Prior to Fortinet, Omri was the security research team leader at enSilo. Before that, He led the R&D of unique network and endpoint security products for large-scale enterprise environments and was part of an incident response team, conducting investigations and hunting for nation-state threat actors.

    - M. Jurczyk, “A quick insight into the Driver Signature Enforcement” (
    - A. Matrosov, E. Rodionov and S. Bratus, “Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats” [No Starch Press]
    - “Dissecting Turla Rootkit Malware Using Dynamic Analysis“, (
    - P. Rascagneres, Windows Systems & Code Signing Protection (
    - J. Michael and M. Skhatov, “Defcon 27: Get off the Kernel if you can’t Drive” (
    - M. Poslušný, “Signed kernel drivers – Unguarded gateway to Windows’ core” (