About the Speaker

In September 2024, Microsoft released Windows 11 24H2 (Current 25H2), introducing undocumented changes to the NTFS driver that broke every existing self-deletion technique used by malware and red team tools. Traditional methods—renaming the main file stream to an alternate data stream (ADS) before setting delete disposition—suddenly stopped working. Files appeared deleted but remained recoverable through forensic analysis, creating a significant problem for legitimate penetration testing tools.

This talk presents my research into adapting self-deletion techniques for the new Windows environment. I discovered that Microsoft's changes essentially treat ADS renames differently at the driver level, preventing complete file removal. After reverse-engineering the updated NTFS behavior, I found that leveraging `FILE_DISPOSITION_POSIX_SEMANTICS`—a flag originally designed for Windows Subsystem for Linux compatibility—provides a reliable workaround. This approach bypasses the 25H2 restrictions entirely.

Beyond self-deletion, I demonstrate how this technique integrates with modern process injection workflows. My implementation targets `explorer.exe` using the classic `WriteProcessMemory` and `CreateRemoteThread` APIs, but with specific considerations for Windows 11's enhanced security features. I'll show how combining these methods creates a complete evasion chain that defeats both static signature detection and leaves minimal forensic artifacts.

Attendees will learn the technical details behind Windows 11 25H2's NTFS modifications, practical exploitation of POSIX semantics within the Windows NT kernel, and defensive strategies for detecting these techniques. I'll provide live demonstrations showing the difference between failed legacy methods and my working implementation, along with forensic analysis proving complete file deletion. This research matters because red teams need functional tools for authorized assessments, and blue teams must understand current evasion capabilities. The talk includes code samples, detection signatures for EDR vendors, and a frank discussion about the cat-and-mouse game between offensive techniques and Microsoft's security improvements.

Jakkaraju Varshith is a cybersecurity researcher pursuing M.Sc in Cybersecurity and Digital Forensics from Rashtriya Raksha University, specializing in red team operations, Windows exploitation, and malware analysis.

His technical expertise spans exploit development, digital forensics, and AI-driven security automation. Varshith actively contributes to open-source security tooling, including MCP-based integrations for `Volatility3 memory forensics` and `IDA Pro binary analysis`, bridging modern AI assistants with security research workflows. His research focuses on Windows internals, offensive security techniques, and automated analysis frameworks. He emphasizes practical implementation and reproducible methodologies, providing security research that serves both offensive capabilities for authorized assessments and defensive detection guidance for security operations teams.

Vivek Joshi, with over 12 years of academic and professional teaching experience with specializing in Cyber Security, Open-Source Intelligence (OSINT), and Digital Forensics. I have trained hundreds of students, professionals, and law-enforcement personnel in advanced security concepts, threat analysis, and investigative methodologies. My core interests include OSINT-driven threat intelligence, cybercrime investigation, digital forensics, and the practical application of emerging technologies in cybersecurity education and research. With a strong focus on bridging theory and real-world practiceI like to actively contributes to cybersecurity capacity building through teaching, research, and technical workshops, and is passionate about empowering the next generation of security professionals with practical, ethical, and analytical skills.