Security researchers have released NoFilter, a tool that abuses the Windows Filtering Platform to elevate a user's privileges to increases privileges to SYSTEM, the highest permission level on Windows.

The utility is helpful in post-exploitation scenarios where an attacker needs to execute malicious code with higher permissions or to move laterally on a victim network as another user already logged into the infected device.

Access token duplication

Microsoft defines the Windows Filtering Platform (WFP) as “a set of API and system services that provide a platform for creating network filtering applications.”

Developers can use the WFP API to create code that can filter or modify network data before it reaches the destination, capabilities seen in network monitoring tools, intrusion detection systems, or firewalls.

Researchers at cybersecurity company Deep Instinct developed three new attacks to elevate privileges on a Windows machine without leaving too much evidence and without being detected by numerous security products.

The first method allows the use of WFP to duplicate access tokens, the pieces of code that identify users and their permissions in the security context of threads and processes.

When a thread executes a privileged task, security identifiers verify if the associated token has the required level of access.

Ron Ben Yizhak, security researcher at Deep Instinct, explains that calling the NtQueryInformationProcess function allows getting the handle table with all the tokens a process holds.

“The handles to those tokens can be duplicated for another process to escalate to SYSTEM,” Yizhak notes in a technical blog post.

The researcher explains that an important driver in Windows operating system called tcpip.sys has several functions that could be invoked by device IO requests to WPF ALE (Application Layer Enforcement) kernel-mode layers for stateful filtering.

The NoFilter tool abuses WPF in this way to duplicate a token and thus achieve privilege escalation.

By avoiding the call to DuplicateHandle, the researcher says, increases stealth and many endpoint detection and response solutions will likely miss the malicious action.

Getting SYSTEM and admin access token

A second technique involves triggering an IPSec connection and abusing the Print Spooler service to insert a SYSTEM token into the table.

Using the RpcOpenPrinter function retrieves -handle for a printer by name. By changing the name to “\\127.0.0.1,” the service connects to the local host.

Following the RPC call, multiple device IO requests to WfpAleQueryTokenById are necessary to retrieve a SYSTEM token.

Yizhak says that this method is stealthier than the first one because configuring an IPSec policy is an action typically done by legitimate privileged users like network administrators.

A third technique described in Yizhak’s post allows obtaining the token of another user logged into the compromised system for lateral movement purposes.

The researcher says that it is possible to launch a process with the permissions of a logged-in user if the access token can be added to the hash table.

He looked for Remote Procedural Call (RPC) servers running as the logged-in user and ran a script to find processes that run as the domain admin and expose an RPC interface.

To obtain the token and launch an arbitrary process with the permissions of a logged user, the researcher abused the OneSyncSvc service and SyncController.dll, which are new components in the world of offensive tools.

Detection advice

Hackers and penetration testers are likely to adopt the three techniques since reporting them to Microsoft Security Response Center resulted in the company saying that the behavior was as intended. This typically means that there won’t be a fix or mitigation.

However, despite being stealthier than other methods, Deep Instinct provides a few ways to detect the three attacks and recommends looking for the following events:

• Configuring new IPSec policies that don’t match the known network configuration.
• RPC calls to Spooler / OneSyncSvc while an IPSec policy is active.
• Brute force the LUID of a token via multiple calls to WfpAleQueryTokenById.
• Device IO request to the device WfpAle by processes other than the BFE service.

Yizhak presented the three new techniques at the DEF CON hacker conference earlier this month. Complete technical details are available in Deep Instinct’s post.

• Microsoft took down a string of embarrassing and offensive travel articles last week.

• The company said the articles were not published by "unsupervised AI" and blamed "human error."

• But the scope of the errors should concern anyone panic about AI's impact on the news.

Last week, Microsoft took down a string of articles published by "Microsoft Travel" that included a bizarre recommendation for visitors to Ottawa to visit the Ottawa Food Bank and to "consider going into it on an empty stomach."

The now-deleted article that included that recommendation — "Headed to Ottawa? Here's what you shouldn't miss!" — went viral after writer Paris Marx shared it as an example of an AI flop. The online chatter about the article, and the clearly offensive nature of the food bank recommendation, prompted Microsoft to issue a statement. The statement blamed a human.

"This article has been removed and we have identified that the issue was due to human error," a Microsoft spokesperson said. "The article was not published by an unsupervised AI. We combine the power of technology with the experience of content editors to surface stories. In this case, the content was generated through a combination of algorithmic techniques with human review, not a large language model or AI system. We are working to ensure this type of content isn't posted in future."

It wasn't the AI that was the problem, it was the human. There was a "content editor" and they made a mistake. We all make mistakes, right?

I might be more persuaded by that stance if that article, however egregious it was, were the only one. In fact, it was not. There were at least a handful of articles that made equally absurd if less offensive travel recommendations.

There was the article, "Try these mouth-watering dishes on your trip to Montreal," which suggested a "hamburger" with the Wikipedia-like entry noting that while the term "burger" can be applied to any type of meat patty, a "hamburger" in particular refers to a "sandwich comprised of a ground beef patty, a sliced bun of some kind, and toppings such as lettuce, tomato, cheese, etc." It listed McDonald's Canada as a popular place to try out. That article has since been removed.

Then there was, "Headed to Anchorage? Tempt your palate with these 6 local delicacies," which included "seafood" and pointed out that it is "basically any form of sea life regarded as food by humans, prominently including fish and shellfish." It continued on to say that "seafood is a versatile ingredient, so it makes sense that we eat it worldwide." That article has likewise been removed.

Another, "16 Most photo-worthy spots in Tokyo!," seemed to be doing okay running down prominent sites until it inexplicably dropped in a slide titled, "Eat Wagyu Beef." Perhaps it was supposed to be in one of the articles on food? That article has also been removed.

Those were just a few examples that I grabbed before the articles were apparently taken down. I reached out to Microsoft to understand what was going on. If, as the company said, these were not being published by "unsupervised AI," how could this happen?

Microsoft is no stranger to the news business. It has run a news aggregator (now Microsoft Start, formerly Microsoft News and MSN News) since 1995 that licenses stories from publications including Insider. But in 2020, my colleague Lucia Moses broke the news that it was cutting dozens of contractors and moving away from human curation and toward an AI-driven system.

Clearly, Microsoft has bet that AI is the future of news aggregation. Now, it seems, Microsoft has become perhaps a bit too confident that AI can do the work of writing the content. Based on the examples I found, whatever human controls Microsoft had in place were so minimal as to be functionally useless.

This all makes me uneasy for a few reasons. First, it suggests that despite a long relationship with the news business, Microsoft thinks humans can be pretty easily brushed aside in the process, to the point where it took public backlash to cause the company to look more closely at it. Second, Microsoft isn't commenting on most of the articles.

When I reached out, the Microsoft spokesperson said the company would only comment on the Ottawa Food Bank article, and not on the other ones that had been removed or what the review process was for them that broke down.

As my colleague Kai Xiang Teo wrote when first covering the Ottawa Food Bank article, Microsoft's misstep fits into a pattern of companies from CNET to Gizmodo publishing AI-assisted articles with glaring errors. But what about the articles that don't contain genuine "errors," per se? What about the hamburger one, or the seafood one? Will they continue publishing those types of stories when the heat dies down?

I hope this was just a boneheaded mistake. I hope Microsoft — and the other tech giants for that matter — don't think the work of those of us in the news business can be replaced by remixed Wikipedia-style articles stitched together in a barely coherent whole. I really do.

Read the original article on Business Insider

Yes, but it's just one step in the march to keep your data safe and your PC secure

Yes, which is why Microsoft included Defender Antivirus with Windows 11. But it's not the be-all and end-all of security. Below are several other techniques you need to utilize to stay safe while using Windows 11:

Always Turn on Antivirus Protection

I said above that Microsoft Defender Antivirus is already installed in Windows 11, so you don't have to download anything!

But you still need to be vigilant because it's actually pretty easy to turn it off. Malware will have a much easier time running on your computer if real-time protection is disabled.

Even if you don't disable the antivirus yourself, Windows 11 will automatically turn off real-time protection if you install a third-party antivirus program. It won't stay off forever, but it doesn't take long for malware to find its way into your computer.

To turn it on, search Windows for Windows Security, and then go to Virus & threat protection > Manage settings. Toggle the button next to Real-time protection.

If you're instead using an alternative free antivirus program, poke around that software to see what you can turn on for enhanced security. Beyond real-time protection, you'd be wise to also set up email checks, USB protection, and scheduled virus scans (or frequently use an on-demand virus scanner).

You need antivirus protection. There's no doubt about it. Another safeguard you should practice is simply awareness—stay as alert as possible when downloading files.

There are so many websites out there, so knowing how to avoid dangerous sites is vital. Many offer downloads or ads disguised as 'download' buttons that will take you to a malicious website. When these dangerous files end up on your PC, it could be minutes before your files are deleted, stolen, or held hostage.

The best thing you can do is stay fully aware of where you are online. Remember the websites you visit, the buttons and links you click, the emails you open, etc. Avoid overly suspicious download sources, like torrents, unless you know exactly what you're doing.

It's exhausting, I know, and really easy to forget to do. But it's one of the best defenses you have. In fact, antivirus protection is sort of like the last defense before your files are compromised. The first is simply avoiding downloading anything bad in the first place (definitely easier said than done).

Tip:

One helpful tip I want to call out is regarding your browser's file download option. Some browsers will automatically download files without asking you first. This is just as unsafe as it is convenient. All web browsers let you change this so that you're asked before anything is downloaded; here's how it works in Chrome.

Much like virus protection, Windows 11 also includes a firewall. This crucial part of Windows stops unwanted traffic from accessing your computer.

The firewall can open ports, like pathways, into your computer, through which an attacker could transfer files. Pay close attention to the ports and apps you allow through the firewall. Inbound access should be kept at a bare minimum, open only for software that requires it.

The Windows 11 firewall is on by default and shouldn't be turned off unless you're running an alternative firewall program.

A VPN is like a blacked-out, bulletproof tunnel through the internet. Microsoft doesn't provide one in Windows 11, but there are plenty of excellent options from other companies, and most are super easy to install on a computer.

When you turn on a full VPN, everything you do on Windows 11 travels through that tunnel. Whatever sites you visit, or files you send/receive are protected from your ISP and eavesdroppers, who might be recording all your web activity.

A VPN is not the same as virus protection or a firewall, and you can still download malicious files over a VPN. Instead, they're suitable only for encrypting traffic and masking your IP address. I like having one when connected to a public Wi-Fi network, like at a hotel or airport.

Keep All Your Software Up to Date

Bad actors love to take advantage of security vulnerabilities. One of the best ways to thwart their attempts at getting into your business is to update your software. Developers are constantly making patches to fix these kinds of things, and it's your job to apply those updates.

Every app can be updated from the developer's website, but most also include an in-app update option (look in the settings). I also recommend free software updaters because they're super easy to use.

Windows 11 itself is also in need of updates. To make sure the operating system has all the necessary updates to protect you, refer to this guide: How to Check for and Install Windows Updates.

Another line of defense you shouldn't overlook is the protection your web browser includes. Chrome and Firefox, for example, can block dangerous downloads before they reach your computer and do a great job warning you about phishing attempts. Keep your browser updated to ensure these functions work as best as possible. It's easy to update Firefox, Chrome, or any other browser you have.

Hide Your Important Information

If there's a breach in security and Windows 11 is compromised, there are a few things you can prepare for to minimize the damage.

The first involves your passwords. It's incredibly tempting to keep passwords on a text file on the desktop or maybe even nestled in a few folders to "hide" it from prying eyes. Hackers are clever, and if they get into your computer, there's a good chance they'll find that list.

Here's what to do instead: store all those passwords in a password manager. They're just as convenient as a text document, but there's a single password you have to enter before you can see all your other passwords. Make this master password secure, and you shouldn't have any problems protecting all your accounts from intrusion.

The second safeguard protects your genuine files. If you're afraid that your financial docs, etc., might get stolen, there are two things you can do: store them off of your computer, like on a flash drive that you unplug when it's not in use, or encrypt the files so that if they are stolen, the attacker will have no use for them.

To protect all your files, use a full disk encryption program. Those in that list are free and will encrypt every item on your computer. This is useful if you're concerned that your whole PC will get stolen.

Jamie has a wealth of experience having worked in the Computer Industry for over 34 years - cutting his teeth in IT-MIS he quickly discovered a talent for handling complex technical issues, building sophisticated infrastructure solutions to meet enterprise business requirements and talking to people at all levels of an organisation to share knowledge.

With his passion for security and networking being long standing, having been a leader in the early Antivirus industry with his own scanning software and having built and maintained the Cisco routing and switching infrastructure for Europe’s first Application Service Provider, his career has always been focused on the cutting edge of security and infrastructure solutions which he enjoys mastering and telling anyone who will listen how great these new technologies are.

Jamie lives in Portsmouth, England with his long-suffering wife, two kids and a Cavachon called Lottie, and in his spare time he enjoys retro computer gaming, poker and virtual reality.

Attackers continue to target Microsoft identities to gain access to connected Microsoft applications and federated SaaS applications. Additionally, attackers continue to progress their attacks in these environments, not by exploiting vulnerabilities, but by abusing native Microsoft functionality to achieve their objective. The attacker group Nobelium, linked with the SolarWinds attacks, has been documented using native functionality like the creation of Federated Trusts [1] to enable persistent access to a Microsoft tenant.

This article demonstrates an additional native functionality that when leveraged by an attacker enables persistent access to a Microsoft cloud tenant and lateral movement capabilities to another tenant. This attack vector enables an attacker operating in a compromised tenant to abuse a misconfigured Cross-Tenant Synchronization (CTS) configuration and gain access to other connected tenants or deploy a rogue CTS configuration to maintain persistence within the tenant. Vectra AI has not observed the use of this technique in the wild but given the historical abuse of similar functionality — Vectra AI presents details for defenders to understand how the attack would present and how to monitor for its execution. In addition, the article will review how Vectra AI customers currently have coverage — and have had coverage from day one of the functionality being released for this technique through their AI-driven detections and Vectra Attack Signal IntelligenceTM.

Cross-Tenant Synchronization

CTS is a new feature from Microsoft that enables organizations to synchronize users and groups from other source tenants and grant them access to resources (both Microsoft and non-Microsoft applications) in the target tenant. CTS features build on previous B2B trust configurations enabling automated and seamless collaboration between different tenants and is a feature that many organizations will look to adopt. [2] [3]

CTS is a powerful and useful feature for organizations like business conglomerates with multiple tenants across affiliated companies, but also opens potential reconnaissance, lateral movement and persistence attacks by bad actors if not configured and managed correctly. Read on for the potential risks and attack paths that adversaries can leverage to exploit CTS to abuse trust relationships from a potentially compromised tenant to any other tenant configured with a CTS trust relationship.

• CTS allows users from another tenant to be synced (added) into a target tenant.
• A loosely configured CTS configuration can be exploited to move laterally from a compromised tenant to another tenant of the same or different organization.
• A rogue CTS configuration can be deployed and used as a backdoor technique to maintain access from an external adversary-controlled Microsoft tenant.

Assumed compromise!

The exploitation techniques follow Assumed Compromise philosophy. The techniques used in these exploits assume that an identity has been compromised in a Microsoft cloud environment. In a real-world setting, this could originate from a browser compromise on an Intune-managed endpoint with a Microsoft-managed identity.

Terminologies

The Facilitator

Important things to know about CTS configuration:

1. New users get synced into a tenant via push (not pull). [2]
• Source tenant pushes new users to sync into the target tenant.
2. Automatic Consent Redemption setup. [3]
• Enabling this eliminates the need to consent anytime new users are synced into a target tenant.
3. Users in scope for synchronization are configured in the source tenant. [2]

The Attack

The attack techniques described in this article require certain licenses and a privileged account compromise or privilege escalation to certain roles in the compromised tenant. A Global Admin role can perform all these actions in a tenant. [3]

Technique 1: Lateral Movement

An attacker operating in a compromised environment can exploit an existing CTS configuration tenant to move laterally from one tenant to another connected tenant.

1. The attacker accesses the compromised tenant.
2. Attacker recons the environment to identify target tenants connected via deployed Cross Tenant Access policies.
3. Attacker reviews Cross Tenant Access policy configuration for each connected tenant to identify one with 'Outbound Sync' enabled. CTA policy with Outbound Sync enabled allows users and groups from the current tenant to be synchronized into the target tenant.
4. From the CTA policy configuration analysis, the attacker finds a connected tenant with Outbound Sync enabled and sets the tenant as the target for lateral movement.
5. The attacker then recons the compromised tenant to find CTS sync application that runs the job of synchronizing users and groups to the target tenant.
• There is no straight forward way to find the CTS sync application linked to the target tenant. The attacker can enumerate through service principals in the tenant attempting to validate credentials with the target tenant to ultimately find the application that hosts the sync job to the target tenant. It can be done through a simple module like this.
6. After identifying the CTS sync application, the attacker can modify its configuration to add the currently compromised user account to the application sync scope. This will sync the compromised user account into the target tenant and grant attacker access to the target tenant using the same initially compromised credentials.
7. Alternatively, the attacker can also inspect the CTS sync application configuration to identify configured sync scope and act accordingly.
• For example, if the object in sync scope is a group, then the attacker can attempt to add the compromised user account directly or indirectly to the group which will automatically allow the compromised account to be synced into the target tenant.
8. If there are no explicit CTA inbound conditions blocking the sync in the target tenant, the compromised account will sync into the target tenant.
9. The attacker moves laterally into the target tenant using the same initially compromised account.

Scenario 2: Backdoor

An attacker operating in a compromised tenant can deploy a rogue Cross Tenant Access configuration to maintain persistent access.

1. The attacker accesses the compromised tenant.
2. The attacker attempts to deploy a new Cross Tenant Access Policy in the victim tenant with the following properties.
3. Simultaneously, the attacker also configures CTS on its external tenant.
• The external tenant CTS setup is out of scope for this article and hence not covered here. The process of setting CTS in a source tenant is well defined by Microsoft here.
4. The attacker can now sync new users from its tenant via push to the target victim tenant anytime in future. This grants the attacker future access to resources on the target tenant using the externally controlled account.

Defense

1. The attack techniques in this document follow assumed compromise. Businesses must continue to implement and enforce security best practices to reduce the risk of account compromise.
2. CTS Target tenants must:
1. Avoid implementing a default inbound CTA configuration which permits all users/groups/applications from the source tenant to sync inbound. [2]
2. Deploy less inclusive inbound CTA configuration such as explicitly defining accounts (if possible) or groups that can get access through CTS.
3. Combine CTA policy with additional Conditional Access Policies to prevent unauthorized access.
3. CTS Source tenants must:
1. Ensure groups allowed to access other tenants via CTS (and all privileged groups in general) are properly regulated and monitored.
4. Detect and respond at scale and speed.

Vectra Customers:

Vectra's existing portfolio of alerts are capable of detecting this activity even prior to understanding this operation's implication as well as the expected actions that would occur prior to this event.

The fact that there is no genuine vulnerability exploited in this technique makes it harder to prevent once an adversary is in the environment with sufficient privileges. However, Vectra's AI-driven detections have been designed to detect these types of privilege abuse scenarios without having to rely on signatures or lists of known operations.

Vectra's Azure AD Privilege Operation Anomaly monitors for the underlying value of every operation in the environment and every user. The AI continuously creates a baseline of the types of actions that should be occurring in the environment and identifies cases of cloud-based privilege abuse. By focusing on the behavior of privilege abuse, Vectra is able to identify emerging techniques like the one documented here.

Attacker actions that would occur prior to the attack such as the account access following a token theft or other forms of account compromise, would be alerted on by Vectra detections like Azure AD Unusual Scripting Engine Usage, Azure AD Suspicious Sign-on or Azure AD Suspicious OAuth Application.

Microsoft Cloud Security Testing

Testing environments regularly and effectively is the best way to be confident in the ability to defend against cyberattacks. MAAD-Attack Framework is an open-source attack emulation tool that combines the most commonly used attacker techniques and allows security teams to quickly and effectively emulate them in their environments via a simple interactive terminal. Check out MAAD-AF on GitHub or learn more about it here.

Security teams can use MAAD-AF module "Exploit Cross Tenant Synchronization" to emulate and test against the CTS exploitation techniques in their environment.

Want to learn more?

Vectra AI is the leader in AI-driven threat detection and response for hybrid and multi-cloud enterprises. The Vectra AI Platform delivers the integrated signal powering XDR, SIEM, SOAR — whatever your pane of glass. This powerful platform equips SOC teams with hybrid attack surface coverage and real-time Attack Signal Intelligence, along with integrated, automated and co-managed response. Companies can choose the modules they need to achieve full coverage across identity, public cloud, SaaS and data center networks.

Contact Vectra AI today.

References: