Windows 11 24H2 broke every existing self-deletion technique used by malware and red team tools, rendering files recoverable through forensic analysis and exposing a significant gap for penetration testing workflows. Reversing the updated NTFS driver behavior revealed a reliable workaround using `FILE_DISPOSITION_POSIX_SEMANTICS`, a flag originally designed for Windows Subsystem for Linux compatibility.

In this session, led by Jakkaraju Varshith and Vivek Joshi of Rashtriya Raksha University, you will learn:

• How Microsoft's 25H2 NTFS changes broke legacy self-deletion techniques, and why zero-byte file traces remain a forensic problem;
• How POSIX semantics within the Windows NT kernel can be leveraged to achieve complete, traceless file deletion;
• How combining self-deletion with process injection into explorer.exe creates an evasion chain that defeats static signature detection.