Security News > 2023 > August > NoFilter Attack: Sneaky Privilege Escalation Method Bypasses Windows Security

A previously undetected attack method called NoFilter has been found to abuse the Windows Filtering Platform to achieve privilege escalation in the Windows operating system.

"If an attacker has the ability to execute code with admin privilege and the target is to perform LSASS Shtinkering, these privileges are not enough," Ron Ben Yizhak, a security researcher at Deep Instinct, told The Hacker News.

The starting point of the research is an in-house tool called RPC Mapper the cybersecurity company used to map remote procedure call methods, specifically those that invoke WinAPI, leading to the discovery of a method named "BfeRpcOpenToken," which is part of WFP. WFP is a set of API and system services that's used to process network traffic and allow configuring filters that permit or block communications.

"The handle table of another process can be retrieved by calling NtQueryInformationProcess," Ben Yizhak said.

While access tokens serve to identify the user involved when a privileged task is executed, a piece of malware running in user mode can access tokens of other processes using specific functions and then use that token to launch a child process with SYSTEM privileges.

"The takeaway is that new attack vectors can be found by looking into built-in components of the OS, such as the Windows Filtering Platform," Ben Yizhak said, adding the methods "Avoid WinAPI that are monitored by security products."

News URL

https://thehackernews.com/2023/08/nofilter-attack-sneaky-privilege.html