Dutch
English

Windows Kernel Exploitation Framework

KEF is an advanced Windows kernel exploitation tool developed by WebSec for authorized red teams, government agencies, law enforcement, military cyber units, and vetted security operators. Gain controlled Windows kernel-mode access, validate EDR and XDR resilience, and conduct realistic kernel-level adversary simulations in hardened Windows environments.

decorative

What is the Kernel Exploitation Framework?

The Kernel Exploitation Framework, also known as KEF, is a professional offensive security tool developed by WebSec for advanced Windows security testing. It gives authorized operators kernel-level visibility and control over processes, access tokens, protection levels, callbacks, ETW providers, WFP callouts, minifilters, and other security-sensitive Windows components.

Unlike conventional offensive security tools that primarily operate in user mode, KEF operates in Windows kernel mode at ring0. This allows operators to assess security controls within the same operating-system privilege domain used by the Windows kernel, kernel-mode drivers, and many EDR, XDR, antivirus, and system-monitoring components.

KEF is built for authorized red team engagements, government operations, law enforcement, military cyber units, intelligence teams, security research, and defensive control validation. It is designed for hardened Windows environments where conventional user-mode tooling may be restricted, monitored, or blocked.

Benefits of the WebSec Kernel Exploitation Framework

Kernel-Level Security Testing - Assess hardened Windows systems from kernel mode and validate controls that cannot be fully tested using conventional user-mode tooling.
Realistic Adversary Simulation - Reproduce advanced Windows attack paths to evaluate EDR, XDR, SIEM, endpoint hardening, and incident response capabilities.
Centralized Operator Control - Manage processes, tokens, callbacks, telemetry providers, WFP callouts, protection levels, and kernel activity from a single tool.
Detection Engineering Support - Correlate operator actions with endpoint and SIEM telemetry to identify missed detections and improve defensive coverage.

Advanced Windows Kernel Security Testing

Modern endpoint security products enforce many of their protections inside the Windows kernel. KEF operates within the same operating-system privilege domain, giving authorized operators the visibility and capabilities required to test kernel callbacks, process protections, access tokens, ETW telemetry, WFP callouts, minifilters, and other low-level security mechanisms.

Instant Ring0 Access

Establish controlled Windows kernel-mode capability from guest or low-privileged contexts and validate escalation to SYSTEM during authorized operations in hardened Windows environments.

Low-Noise Initial Access

KEF provides a low-noise initial access workflow designed for realistic red team operations against modern endpoint security and monitoring environments.

Advanced Kernel Operations

Access an extensive and continuously expanding collection of process, token, callback, telemetry, injection, credential-access, and security-control testing capabilities through a single operator-focused tool.

KEF Hardware Access Device

The KEF hardware device provides operators with a fast, portable, and controlled way to access the Kernel Exploitation Framework across supported Windows environments.

Customer-Controlled Activation

The device remains inactive until enabled with a valid key generated through the KEF Client Web Interface. Each activation remains valid for up to 24 hours.

Rapid Deployment

Designed for quick setup during red team engagements, security assessments, and controlled field operations without lengthy installation procedures.

Portable Operator Device

A compact USB device that can be easily transported and deployed across approved workstations, servers, labs, and operational environments.

Built for Hardened Environments

Designed for use in secured Windows environments where conventional user-mode tooling may be restricted, monitored, or blocked.

Modern Windows Compatibility

Supports modern Windows workstations and server environments, including Windows 10, Windows 11, and supported Windows Server editions.

Software Demo

Toggle ETW TI, Core Isolation, and InfinityHook status. Revert all kernel callbacks in one action — or target specific drivers and minifilters by name.

How the Kernel Exploitation Framework Works

Three steps from controlled activation to advanced Windows kernel security testing

Step #1

Activate

Connect the KEF hardware device and enter a valid activation key generated through the KEF Client Web Interface. Each activation provides an authorized operational window of up to 24 hours.
Step #2

Initialize

KEF establishes the required Windows kernel-mode capability and prepares the tool for use across the supported environment.
Step #3

Operate

Use the GUI or TUI/CLI interface to access approved modules, perform controlled actions, review results, and record operator activity for reporting and detection engineering.

Why Red Teams Choose KEF

Native Windows Kernel-Level Testing

Most offensive security tools operate in user mode, where their actions can be intercepted, monitored, or restricted by endpoint security controls. KEF operates in Windows kernel mode at ring0, where the operating system and many EDR and XDR products register their callbacks, telemetry components, filters, and enforcement mechanisms.

Precise and Controlled Operations

KEF enables operators to target specific processes, callbacks, providers, callouts, drivers, and minifilters instead of relying on broad or destructive system-wide actions.

Developed by Offensive Security Specialists

KEF is developed by WebSec's Windows internals researchers and offensive security practitioners. Its capabilities are shaped by practical red team operations, advanced security research, and defensive control validation.

Full Operator Logging

KEF records supported operator actions and timestamps, allowing red teams and detection engineers to correlate missed alerts with the exact activity that occurred and build coverage for what was missed.

Who Can Use the Kernel Exploitation Framework?

KEF is a controlled-access offensive security tool available exclusively to verified organizations operating under a lawful mandate and approved scope of use.

Government Security Agencies

National security testing, critical infrastructure assessments, and controlled evaluation of hardened Windows systems.

Military Cyber Units

Advanced cyber operations, tactical system access, security research, and defensive readiness validation in authorized environments.

Law Enforcement

Authorized technical operations requiring controlled kernel access, process inspection, and traceable operator activity.

Red Team Operators

High-fidelity adversary simulation for testing EDR, XDR, endpoint hardening, security monitoring, and incident response capabilities.

Intelligence Teams

Approved technical intelligence operations requiring low-level Windows visibility and controlled kernel interaction.

Windows Kernel Exploitation Framework Features

Six core capability areas for advanced Windows offensive security testing

Kernel Callback Manager

Enumerate, inspect, selectively remove, and restore active kernel callbacks and minifilters across process, thread, image-load, registry, object, driver-verification, and filesystem activity.

Security Control Testing

Assess defensive resilience by testing ETW TI, Core Isolation, HVCI, user-mode hooks, minifilters, and selected kernel callbacks through targeted or bulk operations.

WFP Callout Inspector

Enumerate, inspect, silence, and restore Windows Filtering Platform callouts with visibility into associated drivers, function addresses, status, and policy information.

ETW Provider Control

Search, inspect, disable, and restore Event Tracing for Windows providers while identifying active subscribers across EDR, XDR, antivirus, and Windows components.

Process and Token Control

Inspect processes, edit access tokens, swap tokens, modify privileges, change integrity and PPL levels, terminate processes, and perform controlled process operations.

Ring0 Privilege Escalation

Establish immediate Windows kernel-mode capability from guest or low-privileged contexts and validate escalation to SYSTEM without relying on public exploits or vulnerable third-party drivers.

Windows Kernel Exploitation Framework FAQ's

decorative image about frequently asked questions

Ready to Work with Websec? Inquire Now

Ready to elevate your cybersecurity with WebSec? Take the first step towards fortified protection. Inquire now and secure your digital assets with our trusted expertise.
Personal info