Security News > 2023 > August > NoFilter Attack: Sneaky Privilege Escalation Method Bypasses Windows Security
A previously undetected attack method called NoFilter has been found to abuse the Windows Filtering Platform to achieve privilege escalation in the Windows operating system.
"If an attacker has the ability to execute code with admin privilege and the target is to perform LSASS Shtinkering, these privileges are not enough," Ron Ben Yizhak, a security researcher at Deep Instinct, told The Hacker News.
The starting point of the research is an in-house tool called RPC Mapper the cybersecurity company used to map remote procedure call methods, specifically those that invoke WinAPI, leading to the discovery of a method named "BfeRpcOpenToken," which is part of WFP. WFP is a set of API and system services that's used to process network traffic and allow configuring filters that permit or block communications.
"The handle table of another process can be retrieved by calling NtQueryInformationProcess," Ben Yizhak said.
While access tokens serve to identify the user involved when a privileged task is executed, a piece of malware running in user mode can access tokens of other processes using specific functions and then use that token to launch a child process with SYSTEM privileges.
"The takeaway is that new attack vectors can be found by looking into built-in components of the OS, such as the Windows Filtering Platform," Ben Yizhak said, adding the methods "Avoid WinAPI that are monitored by security products."
News URL
https://thehackernews.com/2023/08/nofilter-attack-sneaky-privilege.html
Related news
- Windows 10 KB5043064 update released with 6 fixes, security updates (source)
- Microsoft says it broke some Windows 10 patching – as it fixes flaws under attack (source)
- About that Windows Installer 'make me admin' security hole. Here's how it's exploited (source)
- Security measures fail to keep up with rising email attacks (source)
- Windows vulnerability abused braille “spaces” in zero-day attacks (source)
- CISA warns of Windows flaw used in infostealer malware attacks (source)
- Windows Server 2025 previews security updates without restarts (source)
- JPCERT shares Windows Event Log tips to detect ransomware attacks (source)
- Google Adds New Pixel Security Features to Block 2G Exploits and Baseband Attacks (source)
- WordPress LiteSpeed Cache Plugin Security Flaw Exposes Sites to XSS Attacks (source)