A beforehand undetected assault technique known as NoFilter has been discovered to abuse the Home windows Filtering Platform (WFP) to attain privilege escalation within the Home windows working system.
“If an attacker has the flexibility to execute code with admin privilege and the goal is to carry out LSASS Shtinkering, these privileges should not sufficient,” Ron Ben Yizhak, a security researcher at Deep Intuition, instructed The Hacker Information.
“Operating as “NT AUTHORITYSYSTEM” is required. The strategies described on this analysis can escalate from admin to SYSTEM.”
The findings had been offered on the DEF CON security convention over the weekend.
The place to begin of the analysis is an in-house device known as RPC Mapper the cybersecurity firm used to map distant process name (RPC) strategies, particularly people who invoke WinAPI, resulting in the invention of a way named “BfeRpcOpenToken,” which is a part of WFP.
WFP is a set of API and system providers that is used to course of community site visitors and permit configuring filters that allow or block communications.
“The deal with desk of one other course of might be retrieved by calling NtQueryInformationProcess,” Ben Yizhak stated. “This desk lists the tokens held by the method. The handles to these tokens might be duplicated for one more course of to escalate to SYSTEM.”
Whereas entry tokens serve to establish the person concerned when a privileged process is executed, a chunk of malware working in person mode can entry tokens of different processes utilizing particular capabilities (e.g., DuplicateToken or DuplicateHandle) after which use that token to launch a toddler course of with SYSTEM privileges.
However the aforementioned method, per the cybersecurity agency, might be modified to carry out the duplication within the kernel by way of WFP, making it each evasive and stealthy by leaving barely any proof or logs.
In different phrases, the NoFilter can launch a brand new console as “NT AUTHORITYSYSTEM” or as one other person that’s logged on to the machine.
“The takeaway is that new assault vectors might be discovered by trying into built-in parts of the OS, such because the Home windows Filtering Platform,” Ben Yizhak stated, including the strategies “keep away from WinAPI which are monitored by security merchandise.”
The disclosure comes as SafeBreach revealed novel approaches that might be abused by a menace actor to encrypt information with out executing code on the focused endpoint utilizing a cloud-based ransomware (DoubleDrive), neutralize the Home windows Defender endpoint detection and response (EDR) agent and permit any malicious code to run totally undetected (Defender-Pretender), and remotely delete whole databases from totally patched servers (Erase Data Remotely).
It additionally follows ShorSec’s launch of a proof-of-concept (PoC) for a brand new “threadless” course of injection method that makes use of DLL Notification Callbacks in distant processes to set off shellcode execution and evade course of injection detections by security options.
