Security researchers have found a brand new assault technique referred to as NoFilter that exploits the Windows Filtering Platform (WFP) to attain privilege escalation within the Windows working system. This approach permits an attacker with admin privilege to escalate to SYSTEM privilege, which is required to carry out sure malicious actions. The analysis was offered on the DEF CON safety convention.
The researchers used an in-house device referred to as RPC Mapper to map distant process name (RPC) strategies and found a technique referred to as “BfeRpcOpenToken” inside WFP. By calling NtQueryInformationProcess, the deal with desk of one other course of may be retrieved, which lists the tokens held by the method. These tokens may be duplicated to escalate to SYSTEM privilege.
Typically, a person mode malware can entry tokens of different processes and use them to launch a toddler course of with SYSTEM privileges. However, the NoFilter approach modifies this course of to carry out the duplication within the kernel by way of WFP, making it tough to detect.
This assault technique permits NoFilter to launch a brand new console as “NT AUTHORITYSYSTEM” or as one other logged-in person. By exploiting built-in parts of the Windows OS equivalent to WFP, this system goals to keep away from detection by safety merchandise.
This analysis highlights the significance of investigating built-in parts of an working system to uncover new assault vectors. It additionally emphasizes the necessity for safety merchandise to watch and detect such evasive and stealthy methods.
Source hyperlink