Malware
Endpoint security evasion possible by exploiting Windows Container Isolation Framework
Attackers could exploit the Windows Container Isolation Framework, which is the container architecture of Microsoft used to separate file systems from containers, to circumvent malware detection controls and evade endpoint security systems, The Hacker News reports.
Malicious activity on file systems could remain undetected by using a fabricated container to run the current process while utilizing the minifilter driver for input/output operations, according to a Deep Instinct report presented at the DEF CON security conference.
"Because we can override files using the IO_REPARSE_TAG_WCI_1 reparse tag without the detection of antivirus drivers, their detection algorithm will not receive the whole picture and thus will not trigger," said researcher Daniel Avinoam, who noted that administrative permissions are needed to conduct the attack.
Such findings follow another report by Deep Instinct detailing attacks exploiting the Windows Filtering Platform to facilitate escalated privileges enabling duplicate access tokens, IPSec connections, and SYSTEM token insertions, as well as token exfiltration.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
Related Terms
AdwareYou can skip this ad in 5 seconds