1. InfoconDB
  2. DEF CON
  3. DEF CON 31 (2023)
  4. #NoFilter: Abusing Windows Filtering Platform for privilege escalation

#NoFilter: Abusing Windows Filtering Platform for privilege escalation

Presented at DEF CON 31 (2023), Aug. 13, 2023, noon (45 minutes)

Privilege escalation is a common attack vector in the Windows OS. Today, there are multiple offensive tools in the wild that can execute code as “NT AUTHORITY\SYSTEM” (Meterpreter, CobaltStrike, Potato tools), and they all usually do so by duplicating tokens and manipulating services in some way or another. This talk will show an evasive and undetected privilege escalation technique that abuses the Windows Filtering Platform (WFP). This platform processes network traffic and allow configuring filters that permit or block communication. It is built-in component of the operating system since Windows Vista, and doesn’t require an installation. My research started from reverse-engineering a single RPC method in an OS service and ended with several techniques to abuse a system kernel component, that allow executing programs as “NT AUTHORITY\SYSTEM”, as well as other users that are logged on the the machine without triggering any traditional detection algorithms. The various components of the Windows Filtering Platform will be analyzed, such as the Basic Filtering Engine, the TCPIP driver and the IPSec protocol, while focusing on how to abuse them and extract valuable data from them. REFERENCES - https://googleprojectzero.blogspot.com/2021/08/understanding-network-access-windows-app.html - https://scorpiosoftware.net/2022/12/25/introduction-to-the-windows-filtering-platform/ - https://learn.microsoft.com/en-us/windows/win32/fwp/windows-filtering-platform-architecture-overview - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc759130(v=ws.10)

Presenters:

  • Ron Ben-Yizhak - Security Researcher at Deep Instinct
    Ron Ben-Yizhak is a security researcher at Deep Instinct. He is responsible for research of malware campaigns, attack surfaces and vectors and evasion techniques. His findings are used for developing new analysis, detection, and mitigation capabilities. Ron joined Deep Instinct in 2019 after serving as a security researcher and forensics specialist in one of the IDF’s elite cyber units.

Links:

Similar Presentations: