A new attack method known as the “NoFilter Attack” has been unveiled, showcasing an alarming capability to exploit the Windows Filtering Platform (WFP) and achieve privilege escalation within the Windows operating system. Presented at the DEF CON security conference, the method was disclosed by cybersecurity firm Deep Instinct. This attack, as explained by Ron Ben Yizhak, a security researcher at Deep Instinct, allows adversaries with admin privileges to escalate to “NT AUTHORITY\SYSTEM,” a higher level of access necessary for certain advanced tasks like LSASS manipulation.
The research was initiated using an in-house tool called RPC Mapper, which the cybersecurity experts employed to map remote procedure call (RPC) methods, uncovering a method named “BfeRpcOpenToken” that is part of the WFP framework. WFP, a collection of API and system services, plays a crucial role in processing network traffic and configuring filters for communication allowance or blocking. By delving into this framework, Ben Yizhak highlighted the method of retrieving token information from another process’s handle table through NtQueryInformationProcess, allowing the duplication of these tokens for elevating the privilege of another process to “NT AUTHORITY\SYSTEM.”
The innovative aspect of the NoFilter Attack lies in its ability to manipulate the WFP in the kernel to perform token duplication, rendering it incredibly discreet and challenging to detect. This enables the attack to launch a new console as “NT AUTHORITY\SYSTEM” or as another logged-in user, bypassing traditional security measures. The significance of this discovery underscores the potential of uncovering new attack vectors by scrutinizing built-in components of the operating system, thereby enhancing cybersecurity defenses against evolving threats.