Code Graphology: How to study an exploit to identify developer habits and discover more

Writing exploits is a complex task that requires some experience to build a reliable proof of concept (POC). Most of the time, exploit developers rely on certain habits to fingerprint the operating system, elevate privileges, or exploit primitives.

Being able to identify exploit developer habits can be very useful in identifying a variant of an exploit or an additional POC. This presentation will focus on studying a local privilege escalation (LPE) on the Windows operating system and how we can dissect it to identify artifacts that can be used to hunt for similar code in the wild.

Through the presentation, we will detail some of the exploit mechanisms and see how to build reliable hunting rules. The audience will learn more about exploit techniques and how to identify the parts of the code that may be relevant to analyse for threat hunting.