Member
- Joined
- Oct 14, 2023
- Messages
- 42
- Thread Author
- #1
Just a couple of tricks will give hackers full access to your file system.
At the DEF CON conference, cybersecurity expert Daniel Avinoam presented the results of his research, according to which attackers can take advantage of a vulnerability in the Windows container architecture to bypass endpoint protection.
The technique is based on the use of prepared Windows containers containing so-called "ghost files" that do not store real data, but point to another volume in the system. Nothing would have worked either without the Windows Container Isolation FS driver (wcifs.sys), which is responsible for separating file systems between virtual containers and the host.
The idea, in a nutshell, is to run a specific system process inside a pre-prepared container and use the aforementioned driver to process I / O requests in such a way that it can create, read, write, and delete filesystem elements without alerting the security software.
Among the disadvantages of this technique for a potential attacker, it is necessary to have administrator rights to interact with the driver wcifs.sys. In addition, the technique does not allow you to redefine files on the host system.
Previously, Deep Instinct has already demonstrated a similar method of bypassing protection, based on the abuse of Windows Filtering Platform capabilities. In this attack, an attacker can gain SYSTEM rights and execute malicious code.
Vulnerabilities in operating system architectures are increasingly being used to circumvent malware detection. Companies need to carefully monitor the latest developments of both honest researchers and real attackers in order to update their security tools in a timely manner and make their systems safer.
At the DEF CON conference, cybersecurity expert Daniel Avinoam presented the results of his research, according to which attackers can take advantage of a vulnerability in the Windows container architecture to bypass endpoint protection.
The technique is based on the use of prepared Windows containers containing so-called "ghost files" that do not store real data, but point to another volume in the system. Nothing would have worked either without the Windows Container Isolation FS driver (wcifs.sys), which is responsible for separating file systems between virtual containers and the host.
The idea, in a nutshell, is to run a specific system process inside a pre-prepared container and use the aforementioned driver to process I / O requests in such a way that it can create, read, write, and delete filesystem elements without alerting the security software.
Among the disadvantages of this technique for a potential attacker, it is necessary to have administrator rights to interact with the driver wcifs.sys. In addition, the technique does not allow you to redefine files on the host system.
Previously, Deep Instinct has already demonstrated a similar method of bypassing protection, based on the abuse of Windows Filtering Platform capabilities. In this attack, an attacker can gain SYSTEM rights and execute malicious code.
Vulnerabilities in operating system architectures are increasingly being used to circumvent malware detection. Companies need to carefully monitor the latest developments of both honest researchers and real attackers in order to update their security tools in a timely manner and make their systems safer.