Home
Forums
New posts
Search forums
What's new
New posts
New profile posts
Latest activity
Members
Current visitors
New profile posts
Search profile posts
Log in
Register
What's new
Search
Search
Search titles only
By:
New posts
Search forums
Menu
Log in
Register
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Home
Forums
CARDING & HACKING
Carding News
The Art of disguise: How ghost files can become a trump card in the hands of intruders
Message
<blockquote data-quote="Carders" data-source="post: 260" data-attributes="member: 17"><p>Just a couple of tricks will give hackers full access to your file system.</p><p></p><p>At the DEF CON conference, cybersecurity expert Daniel Avinoam presented the results of his research, according to which attackers can take advantage of a vulnerability in the Windows container architecture to bypass endpoint protection.</p><p></p><p>The technique is based on the use of prepared Windows containers containing so-called "ghost files" that do not store real data, but point to another volume in the system. Nothing would have worked either without the Windows Container Isolation FS driver (wcifs.sys), which is responsible for separating file systems between virtual containers and the host.</p><p></p><p>The idea, in a nutshell, is to run a specific system process inside a pre-prepared container and use the aforementioned driver to process I / O requests in such a way that it can create, read, write, and delete filesystem elements without alerting the security software.</p><p></p><p>Among the disadvantages of this technique for a potential attacker, it is necessary to have administrator rights to interact with the driver wcifs.sys. In addition, the technique does not allow you to redefine files on the host system.</p><p></p><p>Previously, Deep Instinct has already demonstrated a similar method of bypassing protection, based on the abuse of Windows Filtering Platform capabilities. In this attack, an attacker can gain SYSTEM rights and execute malicious code.</p><p></p><p>Vulnerabilities in operating system architectures are increasingly being used to circumvent malware detection. Companies need to carefully monitor the latest developments of both honest researchers and real attackers in order to update their security tools in a timely manner and make their systems safer.</p></blockquote><p></p>
[QUOTE="Carders, post: 260, member: 17"] Just a couple of tricks will give hackers full access to your file system. At the DEF CON conference, cybersecurity expert Daniel Avinoam presented the results of his research, according to which attackers can take advantage of a vulnerability in the Windows container architecture to bypass endpoint protection. The technique is based on the use of prepared Windows containers containing so-called "ghost files" that do not store real data, but point to another volume in the system. Nothing would have worked either without the Windows Container Isolation FS driver (wcifs.sys), which is responsible for separating file systems between virtual containers and the host. The idea, in a nutshell, is to run a specific system process inside a pre-prepared container and use the aforementioned driver to process I / O requests in such a way that it can create, read, write, and delete filesystem elements without alerting the security software. Among the disadvantages of this technique for a potential attacker, it is necessary to have administrator rights to interact with the driver wcifs.sys. In addition, the technique does not allow you to redefine files on the host system. Previously, Deep Instinct has already demonstrated a similar method of bypassing protection, based on the abuse of Windows Filtering Platform capabilities. In this attack, an attacker can gain SYSTEM rights and execute malicious code. Vulnerabilities in operating system architectures are increasingly being used to circumvent malware detection. Companies need to carefully monitor the latest developments of both honest researchers and real attackers in order to update their security tools in a timely manner and make their systems safer. [/QUOTE]
Name
Verification
Post reply
Home
Forums
CARDING & HACKING
Carding News
The Art of disguise: How ghost files can become a trump card in the hands of intruders
Top