Endpoint security evasion possible by exploiting Windows Container Isolation Framework

Attackers could exploit the Windows Container Isolation Framework, which is the container architecture of Microsoft used to separate file systems from containers, to circumvent malware detection controls and evade endpoint security systems, The Hacker News reports. Malicious activity on file systems could remain undetected by using a fabricated container to run the current process while utilizing the minifilter driver for input/output operations, according to a Deep Instinct report presented at the DEF CON security conference. "Because we can override files using the IO_REPARSE_TAG_WCI_1 reparse tag without the detection of antivirus drivers, their detection algorithm will not receive the whole picture and thus will not trigger," said researcher Daniel Avinoam, who noted that administrative permissions are needed to conduct the attack. Such findings follow another report by Deep Instinct detailing attacks exploiting the Windows Filtering Platform to facilitate escalated privileges enabling duplicate access tokens, IPSec connections, and SYSTEM token insertions, as well as token exfiltration.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.