A previously undetected attack method called NoFilter has been found to abuse the Windows Filtering Platform (WFP) to achieve privilege escalation in the Windows operating system.
“If an attacker has the ability to execute code with admin privilege and the target is to perform LSASS Shtinkering, these privileges are not enough,” Ron Ben Yizhak, a security researcher at Deep Instinct, told The Hacker News.
“Running as “NT AUTHORITY\SYSTEM” is required. The techniques described in this research can escalate from admin to SYSTEM.”
The findings were presented at the DEF CON security conference over the weekend.
The starting point of the research is an in-house tool called RPC Mapper the cybersecurity company used to map remote procedure call (RPC) methods, specifically those that invoke WinAPI, leading to the discovery of a method named “BfeRpcOpenToken,” which is part of WFP.
WFP is a set of API and system services that’s used to process network traffic and allow configuring filters that permit or block communications.
“The handle table of another process can be retrieved by calling NtQueryInformationProcess,” Ben Yizhak said. “This table lists the tokens held by the process. The handles to those tokens can be duplicated for another process to escalate to SYSTEM.”
While access tokens serve to identify the user involved when a privileged task is executed, a piece of malware running in user mode can access tokens of other processes using specific functions (e.g., DuplicateToken or DuplicateHandle) and then use that token to launch a child process with SYSTEM privileges.
But the aforementioned technique, per the cybersecurity firm, can be modified to perform the duplication in the kernel via WFP, making it both evasive and stealthy by leaving barely any evidence or logs.
In other words, the NoFilter can launch a new console as “NT AUTHORITY\SYSTEM” or as another user that is logged on to the machine.
“The takeaway is that new attack vectors can be found by looking into built-in components of the OS, such as the Windows Filtering Platform,” Ben Yizhak said, adding the methods “avoid WinAPI that are monitored by security products.”
The disclosure comes as SafeBreach revealed novel approaches that could be abused by a threat actor to encrypt files without executing code on the targeted endpoint using a cloud-based ransomware (DoubleDrive), neutralize the Windows Defender endpoint detection and response (EDR) agent and allow any malicious code to run fully undetected (Defender-Pretender), and remotely delete entire databases from fully patched servers (Erase Data Remotely).
It also follows ShorSec’s release of a proof-of-concept (PoC) for a new “threadless” process injection technique that utilizes DLL Notification Callbacks in remote processes to trigger shellcode execution and evade process injection detections by security solutions.