While popular during the "bootkit" craze more than a decade ago, boot-time persistence has once again quieted down, thanks in part to the rise of various security technologies that Microsoft and vendors have been pushing out. With UEFI, the bar is much higher to gain a foothold, especially with technologies such as Secure Boot, Measured Boot and Boot Guard.
Additionally, even successful boot-time persistence techniques now have a great deal of trouble migrating into the kernel's execution state, as Patchguard received numerous improvements in recent versions specifically targeting "floating code" persistence in the kernel. Hooks, callbacks, as well as mere periodic execution of malicious Ring 0 code is now significantly harder to achieve in Windows 10 than ever before.
In one direction, some attackers have migrated directly into the "negative" rings of hypervisors and SMM/ME code, which allow for implants to execute without Windows' knowledge. But such implementations become hardware-specific and hard to scale, versus being able to leverage (and hide in) the vast myriad of Windows kernel facilities.
In this talk, we'll review some specific mitigations Microsoft has built against boot-time persistence, as well as various little-acknowledged Patchguard behaviors that make this even harder. Then, we'll discuss new ways to jump from firmware to kernel without triggering the usual alarms and affecting TPM-measured data structures, secretive side-channels that can be established between firmware-persistent code and user/kernel Windows code, tricks to hide from traditional forensic/memory dump technologies, and interesting techniques to achieve periodic execution of free-floating code without Patchguard's watchful eye.
Keep in mind this session assumes Ring 0 code execution has already been achieved and/or physical access granted, and is meant to help defenders understand potential ways insiders and other deeply resourceful actors can burrow into the system. If you believe getting Ring 0 is the only goal that matters, this session is probably not for you.