Windows Framework can Face Disruption in Endpoint Security

Recent discoveries indicate that malicious actors might exploit a clever method to dodge malware detection and bypass security measures on endpoints by manipulating the Windows Container Isolation Framework.

These findings were presented by Daniel Avinoam, a security researcher at Deep Instinct, during the DEF CON security conference held earlier this month.

Contain Yourself – Staying Undetected Using the Windows Container Isolation Framework – Blog post is out!

This research was presented on #DEFCON31 and demonstrates how the framework can be abused to bypass EDR malware protection ETW correlationshttps://t.co/xUbaHbaOwl

— Daniel Avinoam (@daniel_avinoam) August 30, 2023

How does Microsoft’s architecture work?

Microsoft’s container architecture, which includes Windows Sandbox, uses a dynamically generated image to separate a container’s file system from the host. This technique prevents the duplication of system files while keeping the overall size of an entire OS manageable.

Essentially, this approach involves creating an “operating system image with clean versions of changeable files that link to unchangeable files in the existing Windows image on the host,” thus reducing the overall size.

What was the consideration?

This mechanism triggered Avinoam’s insight. He wondered if it could be used to obscure file system operations and confuse security tools. This led to the focus on the Windows Container Isolation FS (wcifs. sys) mini-filter driver, which handles file system separation between Windows containers and their host.

The idea is to run a process in a fabricated container and use the mini-filter driver to manage I/O requests. This way, the process can manipulate files on the file system without alerting security software.

Technical Analysis

• The critical point is that the mini-filter driver indirectly attaches to the file system stack and registers with the filter manager for specific I/O operations. It’s allocated an “integer” altitude value by Microsoft, determining its interaction with other filters.

• The wcifs driver’s altitude range is 180000-189999, while antivirus filters work at 320000-329999. This allows certain file operations to occur without triggering callbacks from antivirus drivers.

• By overriding files using the IO_REPARSE_TAG_WCI_1 reparse tag, the detection algorithms of antivirus software don’t get the complete picture and thus fail to trigger.

However, this attack requires administrative permissions to interact with the wcifs driver and can’t override files on the host system.

The base point of the findings

These findings come alongside Deep Instinct’s demonstration of a technique called NoFilter, which manipulates the Windows Filtering Platform (WFP) to elevate user privileges to the SYSTEM level, potentially enabling the execution of malicious code. 

This method involves duplicating access tokens, initiating an IPSec connection, and inserting a SYSTEM token with the Print Spooler service. It also facilitates obtaining another user’s token on the compromised system for lateral movement.

Thought of the day: Do not ignore Endpoint security 

The allocation of altitude values to mini-filter drivers is critical in their interaction with the broader filtering ecosystem. The potential impact of a successful breach through this technique could be severe, as attackers gain the ability to obfuscate their actions and manipulate file systems without detection.

Vigilance in monitoring and securing all layers of the technology stack is crucial. It is now at your stake to be secure at your end.