Abstract
In September 2024, Microsoft released Windows 11 24H2 (Current 25H2), introducing undocumented changes to the NTFS driver that broke every existing self-deletion technique used by malware and red team tools. Traditional methods—renaming the main file stream to an alternate data stream (ADS) before setting delete disposition—suddenly stopped working.
This talk presents research into adapting self-deletion techniques for the new Windows environment. After reverse-engineering the updated NTFS behavior, we found that leveraging FILE_DISPOSITION_POSIX_SEMANTICS—a flag originally designed for Windows Subsystem for Linux compatibility—provides a reliable workaround. Beyond self-deletion, we demonstrate how this technique integrates with modern process injection workflows, targeting explorer.exe using WriteProcessMemory and CreateRemoteThread APIs, with specific considerations for Windows 11’s enhanced security features. Attendees will learn the technical details behind Windows 11 25H2’s NTFS modifications, practical exploitation of POSIX semantics within the Windows NT kernel, and defensive strategies for detecting these techniques.