Carding
Professional
- Messages
- 2,871
- Reaction score
- 2,467
- Points
- 113
Deep Instinct researchers have discovered a stealthy way to escalate the privileges of a popular OS.
At the recent Def Con cybersecurity conference, Deep Instinct specialists presented a report on a previously unknown method of attacking Windows systems called "NoFilter". The method abuses the Windows Filtering Platform and allows attackers to gain elevated privileges, which opens up further opportunities for attacks.
As security expert Ron Ben Izhak explained in his talk, if you have local administrator rights, this method can give attackers full access at the SYSTEM level, but administrator rights will no longer be enough to influence LSASS. In other words, the more privileges hackers have initially, the more opportunities they have to attack.
As noted above, NoFilter is based on the abuse of the Windows Filtering Platform (WFP), a set of APIs and system services responsible for filtering network traffic in Windows operating systems.
In particular, the method uses the "BfeRpcOpenToken" function from WFP, which can be used to access the access tokens of running processes and then duplicate them to escalate privileges up to the SYSTEM level.
According to Deep Instinct experts, the NoFilter method allows you to bypass monitoring by various security tools, since it minimally involves the WinAPI code that antiviruses and other security solutions usually rely on. In addition, this attack method leaves virtually no traces in security logs, making it much more difficult to detect and analyze the consequences.
According to experts, NoFilter clearly demonstrates that a thorough analysis of the built-in components of Windows can lead to the identification of new, previously unknown attack vectors.
In light of this, it is imperative for companies and organizations to closely monitor the latest research in the field of information security and quickly take measures to protect against new threats.
At the recent Def Con cybersecurity conference, Deep Instinct specialists presented a report on a previously unknown method of attacking Windows systems called "NoFilter". The method abuses the Windows Filtering Platform and allows attackers to gain elevated privileges, which opens up further opportunities for attacks.
As security expert Ron Ben Izhak explained in his talk, if you have local administrator rights, this method can give attackers full access at the SYSTEM level, but administrator rights will no longer be enough to influence LSASS. In other words, the more privileges hackers have initially, the more opportunities they have to attack.
As noted above, NoFilter is based on the abuse of the Windows Filtering Platform (WFP), a set of APIs and system services responsible for filtering network traffic in Windows operating systems.
In particular, the method uses the "BfeRpcOpenToken" function from WFP, which can be used to access the access tokens of running processes and then duplicate them to escalate privileges up to the SYSTEM level.
According to Deep Instinct experts, the NoFilter method allows you to bypass monitoring by various security tools, since it minimally involves the WinAPI code that antiviruses and other security solutions usually rely on. In addition, this attack method leaves virtually no traces in security logs, making it much more difficult to detect and analyze the consequences.
According to experts, NoFilter clearly demonstrates that a thorough analysis of the built-in components of Windows can lead to the identification of new, previously unknown attack vectors.
In light of this, it is imperative for companies and organizations to closely monitor the latest research in the field of information security and quickly take measures to protect against new threats.
