Privilege escalation is a commonly employed attack vector in the Windows operating system environment.
Attackers often leverage offensive tools such as Meterpreter, CobaltStrike, or Potato tools to execute code such as “NT AUTHORITY\SYSTEM.”
These tools typically employ token duplication and service manipulation techniques to perform attacks like LSASS tinkering.
The Deep Instinct security research team developed an RPC mapper tool for analyzing RPC methods. The BfeRpcOpenToken method, which is part of the Windows Filtering Platform, captured their attention.
The Windows Filtering Platform is a native platform that offers network traffic control capabilities based on various attributes like application, user, address, and port.
FWPUCLNT.DLL and BFE.DLL play key roles in extracting tokens. By calling FwpsOpenToken0, a handle is duplicated from BfeRpcOpenToken, effectively accessing the BFE service token.
BfeDriverTokenQuery triggers BfeRpcOpenToken, leading to a device IO request to “WfpAle.”
This device was created by the tcpip.sys driver becomes instrumental in the token extraction process.
Token query involves calculating a hash based on the LUID, iterating over a hash table, and identifying the appropriate entry. The token insertion function, WfpAleInsertTokenInformationByUserTokenIdIfNeeded, is explored, revealing its relation to IPSec.
Duplicating Tokens via WFP:
By sending a device IO request, WfpAleProcessTokenReference is invoked, attaching the thread to the process space, duplicating tokens, and adding them to the hash table. Brute-forcing the LUID can lead to token duplication.
Triggering IPSec Connection
Configuring an IPSec policy can lead to token insertion into the hash table. The Print Spooler service is exploited to achieve this through RPC calls.
Gaining the token of another logged-on user can facilitate lateral movement.
The OneSyncSvc service, involving RPC calls and ALPC ports, is manipulated to achieve this. While these attack techniques are designed to be stealthy, they are not undetectable.
The “NoFilter” technique highlights a sophisticated and covert approach to privilege escalation by exploiting the Windows Filtering Platform.
Security professionals are advised to stay vigilant, monitor for suspicious activities related to the Windows Filtering Platform, and explore ways to defend against such attacks.
Keep informed about the latest Cyber Security News by following us on Google News, Linkedin, Twitter, and Facebook.
Hackers prefer phishing as it exploits human vulnerabilities rather than technical flaws which make it a highly effective and low-cost…
A very important message from the Norwegian National Cyber Security Centre (NCSC) says that Secure Socket Layer/Transport Layer Security (SSL/TLS)…
Linux is widely used in numerous servers, cloud infrastructure, and Internet of Things devices, which makes it an attractive target…
ViperSoftX malware, known for stealing cryptocurrency information, now leverages Tesseract, an open-source OCR engine, to target infected systems, which extracts…
Santander has confirmed that there was a major data breach that affected its workers and customers in Spain, Uruguay, and…
The U.S. government has offered a prize of up to $5 million for information that leads to the arrest and…