Security News > 2023 > August > NoFilter Attack: Sneaky Privilege Escalation Method Bypasses Windows Security
![NoFilter Attack: Sneaky Privilege Escalation Method Bypasses Windows Security](/static/build/img/news/nofilter-attack-sneaky-privilege-escalation-method-bypasses-windows-security-medium.jpg)
A previously undetected attack method called NoFilter has been found to abuse the Windows Filtering Platform to achieve privilege escalation in the Windows operating system.
"If an attacker has the ability to execute code with admin privilege and the target is to perform LSASS Shtinkering, these privileges are not enough," Ron Ben Yizhak, a security researcher at Deep Instinct, told The Hacker News.
The starting point of the research is an in-house tool called RPC Mapper the cybersecurity company used to map remote procedure call methods, specifically those that invoke WinAPI, leading to the discovery of a method named "BfeRpcOpenToken," which is part of WFP. WFP is a set of API and system services that's used to process network traffic and allow configuring filters that permit or block communications.
"The handle table of another process can be retrieved by calling NtQueryInformationProcess," Ben Yizhak said.
While access tokens serve to identify the user involved when a privileged task is executed, a piece of malware running in user mode can access tokens of other processes using specific functions and then use that token to launch a child process with SYSTEM privileges.
"The takeaway is that new attack vectors can be found by looking into built-in components of the OS, such as the Windows Filtering Platform," Ben Yizhak said, adding the methods "Avoid WinAPI that are monitored by security products."
News URL
https://thehackernews.com/2023/08/nofilter-attack-sneaky-privilege.html
Related news
- Black Basta ransomware gang linked to Windows zero-day attacks (source)
- Microsoft delays Windows Recall amid privacy and security concerns (source)
- Microsoft delays Windows Recall rollout, more security testing needed (source)
- CISA warns of Windows bug exploited in ransomware attacks (source)
- New attack uses MSC files and Windows XSS flaw to breach networks (source)
- Critical Windows licensing bugs, plus two others under attack, top Patch Tuesday (source)
- Windows MSHTML zero-day used in malware attacks for over a year (source)
- Void Banshee APT exploited “lingering Windows relic” in zero-day attacks (source)
- Windows July security updates send PCs into BitLocker recovery (source)