A new attack technique called NoFilter has been discovered that exploits the Windows Filtering Platform (WFP) to achieve privilege escalation in the Windows operating system [1] [2] [3] [4] [5] [6].

Description

This technique [2] [3] [6], known as NoFilter, allows an attacker with admin privileges to perform LSASS Shtinkering [4], even if they have already executed code with admin privilege [4]. The research that led to the discovery of this attack technique started with an in-house software called RPC Mapper [4], which was used to map remote procedure call methods [4]. Through this research [2] [3] [4], a method named “BfeRpcOpenToken” was found within WFP [2] [4]. By modifying this method [6], an attacker can duplicate handles to tokens held by another process [2] [6], allowing them to escalate their privileges to SYSTEM [2] [6]. This technique can be modified to perform the duplication in the kernel via WFP [2] [3], making it difficult to detect [2] [3]. The NoFilter attack can launch a new console as “NT AUTHORITY\SYSTEM” or as another logged-in user [2] [3].

This discovery highlights the importance of examining built-in components of the operating system [1] [2] [3] [4], such as the Windows Filtering Platform [1] [2] [3] [4] [5] [6], for potential attack vectors [2] [3] [4]. It is also recommended to avoid using WinAPI that are monitored by security products to prevent such attacks [4]. This previously undetected method bypasses Windows security measures and allows attackers to gain elevated privileges [5]. The NoFilter attack is a sneaky way for bad actors to escalate their privileges and potentially gain unauthorized access to sensitive information on a Windows system [5]. This technique was presented at the DEF CON security conference and is evasive and stealthy [6], leaving little evidence or logs [6].

Conclusion

The NoFilter attack technique poses significant risks to the security of Windows operating systems. It demonstrates the need for thorough examination of built-in components like the Windows Filtering Platform to identify potential vulnerabilities. Mitigations should include avoiding the use of WinAPI monitored by security products. The discovery of this technique also raises concerns about the effectiveness of current Windows security measures. Future implications include the need for enhanced detection and prevention mechanisms to counter evasive and stealthy attacks like NoFilter.

References

[1] https://thehackernews.com/2023/08/nofilter-attack-sneaky-privilege.html
[2] https://mrhacker.co/vulnerabilities/nofilter-attack-sneaky-privilege-escalation-method-bypasses-windows-security
[3] https://www.redpacketsecurity.com/nofilter-attack-sneaky-privilege-escalation-method-bypasses-windows-security/
[4] https://cyber.vumetric.com/security-news/2023/08/17/nofilter-attack-sneaky-privilege-escalation-method-bypasses-windows-security/
[5] https://www.linkedin.com/posts/wdevault_nofilter-attack-sneaky-privilege-escalation-activity-7097991074979213312-QUv3
[6] http://pfete.com/index.php/2023/08/17/sneaky-privilege-escalation-method-bypasses-windows-security/