New findings show that malicious actors could leverage a sneaky malware detection evasion technique and bypass endpoint security solutions by manipulating the Windows Container Isolation Framework.
The findings were presented by Deep Instinct security researcher Daniel Avinoam at the DEF CON security conference held earlier this month.
Microsoft’s container architecture (and by extension, Windows Sandbox) uses what’s called a dynamically generated image to separate the file system from each container to the host and at the same time avoid duplication of system files.
It’s nothing but an “operating system image that has clean copies of files that can change, but links to files that cannot change that are in the Windows image that already exists on the host,” thereby bringing down the overall size for a full OS.
“The result is images that contain ‘ghost files,’ which store no actual data but point to a different volume on the system,” Avinoam said in a report shared with The Hacker News. “It was at this point that the idea struck me — what if we can use this redirection mechanism to obfuscate our file system operations and confuse security products?”
This is where the Windows Container Isolation FS (wcifs.sys) minifilter driver comes into play. The driver’s main purpose is to take care of the file system separation between Windows containers and their host.
The driver handles the ghost files redirection by parsing their attached reparse points and the associated reparse tags which uniquely identify the owner, i.e., the implementer of the file system filter driver that performs additional filter-defined processing on a file during I/O operations.
Two such reparse tag data structures used by the Windows Container Isolation filter, according to Microsoft, are IO_REPARSE_TAG_WCI_1 and IO_REPARSE_TAG_WCI_LINK_1.
The idea, in a nutshell, is to have the current process running inside a fabricated container and leverage the minifilter driver to handle I/O requests such that it can create, read, write, and delete files on the file system without alerting security software.
It’s worth pointing out at this stage that a minifilter attaches to the file system stack indirectly, by registering with the filter manager for the I/O operations that it chooses to filter. Each minifilter is allocated a Microsoft-assigned “integer” altitude value based on filter requirements and load order group.
The wcifs.sys driver occupies a lower altitude range of 180000-189999 (specifically 189900), while antivirus filters, including those from third-parties, function at an altitude range of 320000-329999. As a result, various file operations can be performed without getting their callbacks triggered.
“Because we can override files using the IO_REPARSE_TAG_WCI_1 reparse tag without the detection of antivirus drivers, their detection algorithm will not receive the whole picture and thus will not trigger,” Avinoam explained.
That having said, pulling off the attack requires administrative permissions to communicate with the wcifs.sys driver and it cannot be used to override files on the host system.
The disclosure comes as the cybersecurity company demonstrated a stealthy technique called NoFilter that abuses the Windows Filtering Platform (WFP) to elevate a user’s privileges to that of SYSTEM and potentially execute malicious code.
The attacks allow the use of WFP to duplicate access tokens for another process, trigger an IPSec connection and leverage the Print Spooler service to insert a SYSTEM token into the table, and make it possible to obtain the token of another user logged into the compromised system for lateral movement.