Listen to this Post

The recent Windows 11 24H2 update has disrupted a well-known malware evasion method—the Lloyd Labs self-deletion technique. This method, often used by malware to erase traces after execution, now fails due to NTFS changes in the latest Windows version.
Full technical breakdown: https://tkyn.dev
You Should Know:
Why the Lloyd Labs Method Fails in Windows 11 24H2
The self-deletion technique relied on manipulating NTFS file system behavior to delete an executable while it was still running. However, Microsoft’s changes in NTFS transaction handling now prevent this exploit.
Debugging the Issue with Kernel Analysis
To understand the failure, kernel debugging tools were used:
windbg -k net:port=50000,key=1.2.3.4
Key findings:
- File handle retention is now stricter.
- Transaction rollback prevents forced deletion.
Alternative Evasion Techniques (For Research & Defense)
Since the old method no longer works, malware authors may switch to:
1. Process Hollowing
Invoke-ProcessHollowing -Path "C:\Windows\System32\notepad.exe" -Payload "C:\malware.bin"
2. Memory-Only Execution
Using PowerShell reflection:
$bytes = [System.IO.File]::ReadAllBytes("C:\malware.bin")
$assembly = [System.Reflection.Assembly]::Load($bytes)
$entryPoint = $assembly.EntryPoint
$entryPoint.Invoke($null, $null)
3. Legitimate Process Injection
Via DLL sideloading:
rundll32.exe "C:\legit.dll",MaliciousEntry
Defensive Measures for Security Teams
1. Monitor suspicious process behavior:
Get-WmiObject Win32_Process | Where-Object { $_.CommandLine -match "self-delete" }
2. Enable deep NTFS auditing:
fsutil behavior set disablelastaccess 0
3. Use Sysmon for file deletion tracking:
<Sysmon> <EventFiltering> <RuleGroup name="File Deletion"> <FileDelete onmatch="include"> <TargetFilename condition="contains">.exe</TargetFilename> </FileDelete> </RuleGroup> </EventFiltering> </Sysmon>
What Undercode Say
Windows 11 24H2’s NTFS changes mark a significant shift in malware evasion tactics. While the Lloyd Labs method is now obsolete, attackers will adapt. Defenders must:
– Analyze new file system behaviors
– Update detection rules for emerging techniques
– Leverage kernel debugging for forensic investigations
Expected Output:
Security researchers and red teams should test new evasion methods while blue teams enhance monitoring for alternative attack vectors.
Prediction
Malware authors will likely shift to fileless attacks or abuse trusted processes to bypass Windows 11 24H2’s strengthened defenses.
IT/Security Reporter URL:
Reported By: Thomas Keeferiii – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


