• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
nofilter attack: sneaky privilege escalation method bypasses windows security

NoFilter Attack: Sneaky Privilege Escalation Method Bypasses Windows Security

You are here: Home / General Cyber Security News / NoFilter Attack: Sneaky Privilege Escalation Method Bypasses Windows Security
August 17, 2023

A previously undetected attack technique referred to as NoFilter has been identified to abuse the Windows Filtering System (WFP) to achieve privilege escalation in the Windows operating procedure.

“If an attacker has the skill to execute code with admin privilege and the target is to accomplish LSASS Shtinkering, these privileges are not more than enough,” Ron Ben Yizhak, a security researcher at Deep Intuition, informed The Hacker News.

“Running as “NT AUTHORITYSYSTEM” is essential. The techniques described in this investigation can escalate from admin to System.”

✔ Approved From Our Partners
AOMEI Backupper Lifetime

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.

Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code


The results ended up introduced at the DEF CON security conference over the weekend.

Cybersecurity

The setting up issue of the investigate is an in-house tool identified as RPC Mapper the cybersecurity company applied to map remote treatment contact (RPC) procedures, particularly those that invoke WinAPI, leading to the discovery of a method named “BfeRpcOpenToken,” which is element of WFP.

WFP is a set of API and procedure companies that’s utilised to system network site visitors and make it possible for configuring filters that permit or block communications.

“The take care of desk of yet another approach can be retrieved by calling NtQueryInformationProcess,” Ben Yizhak said. “This desk lists the tokens held by the approach. The handles to these tokens can be duplicated for yet another process to escalate to Program.”

Cybersecurity

While access tokens serve to determine the user included when a privileged process is executed, a piece of malware functioning in user manner can entry tokens of other processes utilizing particular features (e.g., DuplicateToken or DuplicateHandle) and then use that token to launch a baby procedure with Program privileges.

But the aforementioned method, for every the cybersecurity company, can be modified to accomplish the duplication in the kernel via WFP, producing it equally evasive and stealthy by leaving scarcely any evidence or logs.

In other phrases, the NoFilter can launch a new console as “NT AUTHORITYSYSTEM” or as an additional user that is logged on to the machine.

“The takeaway is that new attack vectors can be uncovered by on the lookout into created-in components of the OS, these types of as the Windows Filtering Platform,” Ben Yizhak stated, introducing the solutions “stay away from WinAPI that are monitored by security products.”

Uncovered this posting exciting? Abide by us on Twitter  and LinkedIn to examine far more special articles we publish.


Some parts of this article are sourced from:
thehackernews.com

Previous Post: «china linked bronze starlight group targeting gambling sector with cobalt strike China-Linked Bronze Starlight Group Targeting Gambling Sector with Cobalt Strike Beacons
Next Post: Google Chrome’s New Feature Alerts Users About Auto-Removal of Malicious Extensions google chrome's new feature alerts users about auto removal of malicious»

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Report This Article

Recent Posts

  • Qilin Ransomware Adds “Call Lawyer” Feature to Pressure Victims for Larger Ransoms
  • Iran’s State TV Hijacked Mid-Broadcast Amid Geopolitical Tensions; $90M Stolen in Crypto Heist
  • 6 Steps to 24/7 In-House SOC Success
  • Massive 7.3 Tbps DDoS Attack Delivers 37.4 TB in 45 Seconds, Targeting Hosting Provider
  • 67 Trojanized GitHub Repositories Found in Campaign Targeting Gamers and Developers
  • New Android Malware Surge Hits Devices via Overlays, Virtualization Fraud and NFC Theft
  • BlueNoroff Deepfake Zoom Scam Hits Crypto Employee with MacOS Backdoor Malware
  • Secure Vibe Coding: The Complete New Guide
  • Uncover LOTS Attacks Hiding in Trusted Tools — Learn How in This Free Expert Session
  • Russian APT29 Exploits Gmail App Passwords to Bypass 2FA in Targeted Phishing Campaign

Copyright © TheCyberSecurity.News, All Rights Reserved.