Security experts develop NoFilter tools to obtain the highest privileges of Win10 / Win11 systems with three attack methods. 03/26 Update SLTechnology News&Howtos

Security experts develop NoFilter tools to obtain the highest privileges of Win10 / Win11 systems with three attack methods.

2025-03-26 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > IT Information >

Shulou(Shulou.com)11/24 Report--

CTOnews.com, August 24 (Xinhua)-- Security researchers have recently developed a tool called NoFilter that can elevate user privileges to the SYSTEM level (the highest privilege level on Windows) by abusing the Windows filtering platform (WFP).

CTOnews.com Note: the Windows filtering platform (WFP) is a set of API and system services that provide a platform for creating network filtering applications.

WFP API allows developers to write code that interacts with packet processing that occurs at multiple layers in the operating system network stack, filtering and modifying network data before it reaches its destination.

Researchers at Deep Instinct, a network security company, have developed three new attack methods that increase users' privileges on Windows devices without leaving too many traces and not being detected by mainstream security products.

The first method uses WFP to copy the access token (the code that identifies the user's permissions), gets the access token by calling the NtQueryInformationProcess function, and then copies it to the task to be performed.

The second technique involves triggering an IPSec connection and abusing the Print Spooler service, and then inserting the SYSTEM token into the table.

The tool uses the RpcOpenPrinter function to retrieve the printer's-handle by name. By changing the name to "\ 127.0.0.1", the service will connect to the local host.

After invoking RPC, multiple device IO requests for WfpAleQueryTokenById are retrieved to obtain SYSTEM tokens.

The third technique obtains the token of another user logged in to the compromised system and manipulates the user service.

The researchers say that if you can add an access token to the hash table, you can start the process with the privileges of the logged-in user.

He looks for a remote procedure call (RPC) server that runs as a logged-in user, runs a script to find processes running as a domain administrator, and exposes a RPC interface.

The researchers abused the OneSyncSvc service and SyncController.dll to start arbitrary processes with the privileges of the logged-in user.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.