#NoFilter: Abusing Windows Filtering Platform for privilege escalation

Privilege escalation is a common attack vector in the Windows OS. Today, there are multiple offensive tools in the wild that can execute code as “NT AUTHORITY\SYSTEM” (Meterpreter, CobaltStrike, Potato tools), and they all usually do so by duplicating tokens and manipulating services in some way or another. This talk will show an evasive and undetected privilege escalation technique that abuses the Windows Filtering Platform (WFP). This platform processes network traffic and allow configuring filters that permit or block communication. It is built-in component of the operating system since Windows Vista, and doesn’t require an installation My research started from reverse-engineering a single RPC method in an OS service and ended with several techniques to abuse a system kernel component, that allow executing programs as “NT AUTHORITY\SYSTEM”, as well as other users that are logged on the the machine without triggering any traditional detection algorithms. The various components of the Windows Filtering Platform will be analyzed, such as the Basic Filtering Engine, the TCPIP driver and the IPSec protocol, while focusing on how to abuse them and extract valuable data from them.