DEF CON 31 - Staying Undetected Using the Windows Container Isolation Framework - Daniel Avinoam
HTML-код
- Опубликовано: 15 сен 2023
- The use of containers became an integral part of any resource-efficient and secure environment. Starting from Windows Server 2016, Microsoft released its version of this solution called Windows Containers, which offers either a process or Hyper-V isolation modes.
In both cases, an efficient file system separation should be provided. On one hand, each container should be able to access system files and write changes that will not affect the host. On the other, copying the entire main volume on each container launch will be storage-inefficient and not practical.
In this presentation, we will cover the basics of windows containers, break down its file system isolation framework, reverse-engineer its main mini-filter driver, and see how it can be utilized and manipulated by an actor to bypass EDR products in multiple domains. Eventually, we will provide an open-source tool based on these findings.
This technology caught my attention for several reasons:
Containers and virtualization solutions are everywhere, and their internal workings are not well documented.
Actors often search for ways to escape containers. The idea of intentionally entering into one in order to evade security products has yet to be explored.
This framework doesn't require any prerequisites and comes as default in every modern Windows image! (the part which we will abuse, at least). 
Наука
Loved this guy’s work with the Zohan
Awesome work.
Great job
super interesting talk. very clever. great english for a foreigner, too. 👍
- [00:00](ruclips.net/video/Cm-zFx6hwzk/видео.html) 🪟 Windows Containers Introduction
- [01:24](ruclips.net/video/Cm-zFx6hwzk/видео.html) 📋 Job Objects & Silos
- [03:18](ruclips.net/video/Cm-zFx6hwzk/видео.html) 📁 Reparse Points Usage
- [04:39](ruclips.net/video/Cm-zFx6hwzk/видео.html) 🚗 Mini-filter Drivers Role
- [06:57](ruclips.net/video/Cm-zFx6hwzk/видео.html) 🔄 Mini-filters & Reparse Points
- [08:46](ruclips.net/video/Cm-zFx6hwzk/видео.html) 👻 Dynamic Images in Containers
- [09:36](ruclips.net/video/Cm-zFx6hwzk/видео.html) 🚪 Redirection for Obfuscation
- [10:06](ruclips.net/video/Cm-zFx6hwzk/видео.html) 📦 Introduction to wcifs Driver
- [12:27](ruclips.net/video/Cm-zFx6hwzk/видео.html) 📝 wcifs PreCreate Requirements
- [16:31](ruclips.net/video/Cm-zFx6hwzk/видео.html) 📎 How wcifs Handles LINK_1
- [18:12](ruclips.net/video/Cm-zFx6hwzk/видео.html) 🧩 How wcifs Handles WCI_1
- [20:08](ruclips.net/video/Cm-zFx6hwzk/видео.html) 🗄 Handling Non-existent Files
[21:25](ruclips.net/video/Cm-zFx6hwzk/видео.html) 🕵 Reverse Engineer WCIFS
[22:49](ruclips.net/video/Cm-zFx6hwzk/видео.html) ⬆ Mini-filter Altitudes
[25:29](ruclips.net/video/Cm-zFx6hwzk/видео.html) 🚧 Bypass EDR Filters
[27:17](ruclips.net/video/Cm-zFx6hwzk/видео.html) 🔄 Create Undetectable Wiper
[28:39](ruclips.net/video/Cm-zFx6hwzk/видео.html) 🌐 Create Undetectable Ransomware
[30:56](ruclips.net/video/Cm-zFx6hwzk/видео.html) 🚫 Bypass Write Restrictions
[32:24](ruclips.net/video/Cm-zFx6hwzk/видео.html) 📊 ETW Log Misinformation
[33:21](ruclips.net/video/Cm-zFx6hwzk/видео.html) 🕵♂ Steal Data Stealthily
[34:43](ruclips.net/video/Cm-zFx6hwzk/видео.html) 🔐 Bypass File Protections
[35:35](ruclips.net/video/Cm-zFx6hwzk/видео.html) 🔍 Detect Suspicious Activity
This is scary stuff in the wrong hands. 😅
מלא ישראלים השנה
NVIDIA removes echo for free...