The findings were presented by Deep Instinct security researcher Daniel Avinoam at the DEF CON security conference held earlier this month.
Microsoft’s container architecture (and, by extension, Windows Sandbox) uses a dynamically generated image to separate the file system from each container to the host and simultaneously avoid duplication of system files.
It’s nothing but an “operating system image that has clean copies of files that can change but links to files that cannot change that are in the Windows image that already exists on the host,” thereby bringing down the overall size for an entire OS.
“The result is images that contain ‘ghost files,’ which store no actual data but point to a different volume on the system,”.
This is where the Windows Container Isolation FS (wcifs.sys) minifilter driver comes into play. The driver mainly aims to handle the file system separation between Windows containers and their host.
In other words, the idea is to have the current process running inside a fabricated container and leverage the mini-filter driver to handle I/O requests such that it can create, read, write, and delete files on the file system without alerting security software.
At this stage, it’s worth pointing out that a mini-filter attaches to the file system stack indirectly by registering with the filter manager for the I/O operations it chooses to filter. Each mini-filter is allocated a Microsoft-assigned “integer” altitude value based on filter requirements and load order group.
The wcifs driver has an altitude range of 180000-189999 (specifically 189900), while antivirus filters, including those from third-parties, function at an altitude range of 320000-329999. As a result, various file operations can be performed without getting their callbacks triggered.
“Because we can override files using the IO_REPARSE_TAG_WCI_1 reparse tag without detecting antivirus drivers, their detection algorithm will not receive the whole picture and thus will not trigger,” Avinoam explained.
That being said, pulling off the attack requires administrative permissions to communicate with the wcifs driver and it cannot be used to override files on the host system.
The disclosure comes as the cybersecurity company demonstrated a stealthy technique called NoFilter that abuses the Windows Filtering Platform (WFP) to elevate a user’s privileges to that of SYSTEM and potentially execute malicious code.
The attacks allow the use of WFP to duplicate access tokens for another process, trigger an IPSec connection and leverage the Print Spooler service to insert a SYSTEM token into the table, and make it possible to obtain the token of another user logged into the compromised system for lateral movement.