Security News > 2023 > August > Hackers Can Exploit Windows Container Isolation Framework to Bypass Endpoint Security

New findings show that malicious actors could leverage a sneaky malware detection evasion technique and bypass endpoint security solutions by manipulating the Windows Container Isolation Framework.

Microsoft's container architecture uses what's called a dynamically generated image to separate the file system from each container to the host and at the same time avoid duplication of system files.

It's nothing but an "Operating system image that has clean copies of files that can change, but links to files that cannot change that are in the Windows image that already exists on the host," thereby bringing down the overall size for a full OS. "The result is images that contain 'ghost files,' which store no actual data but point to a different volume on the system," Avinoam said in a report shared with The Hacker News.

The driver's main purpose is to take care of the file system separation between Windows containers and their host.

In other words, the idea is to have the current process running inside a fabricated container and leverage the minifilter driver to handle I/O requests such that it can create, read, write, and delete files on the file system without alerting security software.

The disclosure comes as the cybersecurity company demonstrated a stealthy technique called NoFilter that abuses the Windows Filtering Platform to elevate a user's privileges to that of SYSTEM and potentially execute malicious code.

News URL

https://thehackernews.com/2023/08/hackers-can-exploit-windows-container.html