A new attack method termed NoFilter has emerged, leveraging the Windows Filtering Platform (WFP) for privilege escalation in the Windows operating system. This previously undetected approach poses significant risks as it could be exploited by threat actors to gain higher-level access without detection.
Ron Ben Yizhak, a security researcher with Deep Instinct, highlighted the limitations of existing admin privileges in executing sophisticated tasks such as LSASS Shtinkering. He noted that attackers require the ability to operate as “NT AUTHORITY\SYSTEM,” underscoring the research’s contribution to escalating privileges from admin to SYSTEM level.
The research findings were unveiled during the recent DEF CON security conference and emphasize an innovative exploitation technique. Using an internal tool known as RPC Mapper, Deep Instinct discovered the “BfeRpcOpenToken” method, a component of the WFP that can be manipulated for unauthorized access.
The WFP serves as a critical framework within Windows that filters network traffic, enabling the configuration of communication rules. Ben Yizhak explained that by calling NtQueryInformationProcess, attackers can access the handle table of other processes, which lists the various tokens associated with each process. This access facilitates the duplication of tokens, allowing an attacker to launch processes with elevated SYSTEM privileges.
Significantly, the NoFilter technique permits token duplication within the kernel via the WFP, which not only enhances its stealth but also minimizes residual logs that could indicate the creation of unauthorized processes. Such capabilities enable the execution of commands under the “NT AUTHORITY\SYSTEM” context, or as any logged-in user, thereby increasing the threat landscape across vulnerable systems.
The implications of this research extend beyond individual vulnerabilities; it serves as a reminder that built-in OS components, like the WFP, can conceal overlooked attack vectors. This is particularly concerning given that these methods steer clear of commonly monitored WinAPI functions, thereby complicating detection efforts by security tools and protocols.
This revelation follows other critical findings in the cybersecurity space, including SafeBreach’s disclosure of how cloud-based ransomware strategies can be employed without executing malicious code directly on target systems. Concurrently, ShorSec’s recent proof-of-concept on a new “threadless” process injection technique exemplifies the evolving tactics that threat actors may adopt.
Organizations must remain vigilant in monitoring and defending against such nuanced threats. The NoFilter technique illustrates the ongoing need for robust cybersecurity measures and adaptive strategies to protect against increasingly sophisticated attack vectors. As the cybersecurity landscape continues to evolve, understanding tactics identified in the MITRE ATT&CK framework, such as persistence and privilege escalation, will be crucial in safeguarding against potential breaches.
