Hackers Exploit Windows Container Isolation Framework to Evade Endpoint Security

Recent research has unveiled a cunning method that malicious actors could employ to circumvent endpoint security solutions by manipulating the Windows Container Isolation Framework.

Deep Instinct security researcher Daniel Avinoam presented these findings at the DEF CON security conference, which took place earlier this month.

Microsoft’s container architecture, including Windows Sandbox, utilizes a dynamically generated image to separate the file system of each container from the host while avoiding the duplication of system files.

In simpler terms, this involves creating an “operating system image that contains clean copies of changeable files, linked to unchangeable files within the existing Windows image on the host.” This approach reduces the overall size required for a complete OS.

This is where the Windows Container Isolation FS (wcifs.sys) minifilter driver becomes relevant. This driver’s primary function is to manage the separation of the file system between Windows containers and their host.

The driver handles the redirection of ghost files by parsing their attached reparse points and unique reparse tags that identify the owner, i.e., the implementer of the file system filter driver conducting additional filter-defined processing during I/O operations.

Microsoft identifies two such reparse tag data structures used by the Windows Container Isolation filter: IO_REPARSE_TAG_WCI_1 and IO_REPARSE_TAG_WCI_LINK_1.

In essence, the concept involves running the current process within a fabricated container and utilizing the minifilter driver to process I/O requests in a way that allows the creation, reading, writing, and deletion of files in the file system without triggering alerts from security software.

It’s important to note that a minifilter attaches to the file system stack indirectly by registering with the filter manager for the I/O operations it intends to filter. Each minifilter is assigned an “integer” altitude value by Microsoft based on filter requirements and load order group.

The wcifs.sys driver occupies a lower altitude range of 180,000-189,999 (specifically 189,900), while antivirus filters, including those from third parties, operate within an altitude range of 320,000-329,999. As a result, various file operations can be executed without triggering callbacks from security software.

However, it’s important to note that executing this attack requires administrative permissions to communicate with the wcifs.sys driver and cannot be used to override files on the host system.

These revelations coincide with the cybersecurity company demonstrating a stealthy technique called NoFilter that exploits the Windows Filtering Platform (WFP) to elevate a user’s privileges to SYSTEM level and potentially execute malicious code.

These attacks utilize WFP to duplicate access tokens for another process, establish an IPSec connection, leverage the Print Spooler service to insert a SYSTEM token into the table, and enable the acquisition of the token of another user logged into the compromised system for lateral movement.