DEF CON 31 - Staying Undetected Using the Windows Container Isolation Framework

DEF CON 31 - Staying Undetected Using the Windows Container Isolation Framework - Daniel Avinoam

Рет қаралды 16,341

8 ай бұрын

The use of containers became an integral part of any resource-efficient and secure environment. Starting from Windows Server 2016, Microsoft released its version of this solution called Windows Containers, which offers either a process or Hyper-V isolation modes.
In both cases, an efficient file system separation should be provided. On one hand, each container should be able to access system files and write changes that will not affect the host. On the other, copying the entire main volume on each container launch will be storage-inefficient and not practical.
In this presentation, we will cover the basics of windows containers, break down its file system isolation framework, reverse-engineer its main mini-filter driver, and see how it can be utilized and manipulated by an actor to bypass EDR products in multiple domains. Eventually, we will provide an open-source tool based on these findings.
This technology caught my attention for several reasons:
Containers and virtualization solutions are everywhere, and their internal workings are not well documented.
Actors often search for ways to escape containers. The idea of intentionally entering into one in order to evade security products has yet to be explored.
This framework doesn't require any prerequisites and comes as default in every modern Windows image! (the part which we will abuse, at least).

Пікірлер: 9

@trollemaudacity80poundfupa49 7 ай бұрын

Loved this guy’s work with the Zohan

@geroffmilan3328 8 ай бұрын

Awesome work.

@gervin814 8 ай бұрын

Great job

@actuator 4 ай бұрын

- [00:00](kzfaq.info/get/bejne/edNdrampm87bqp8.html) 🪟 Windows Containers Introduction - [01:24](kzfaq.info/get/bejne/edNdrampm87bqp8.html) 📋 Job Objects & Silos - [03:18](kzfaq.info/get/bejne/edNdrampm87bqp8.html) 📁 Reparse Points Usage - [04:39](kzfaq.info/get/bejne/edNdrampm87bqp8.html) 🚗 Mini-filter Drivers Role - [06:57](kzfaq.info/get/bejne/edNdrampm87bqp8.html) 🔄 Mini-filters & Reparse Points - [08:46](kzfaq.info/get/bejne/edNdrampm87bqp8.html) 👻 Dynamic Images in Containers - [09:36](kzfaq.info/get/bejne/edNdrampm87bqp8.html) 🚪 Redirection for Obfuscation - [10:06](kzfaq.info/get/bejne/edNdrampm87bqp8.html) 📦 Introduction to wcifs Driver - [12:27](kzfaq.info/get/bejne/edNdrampm87bqp8.html) 📝 wcifs PreCreate Requirements - [16:31](kzfaq.info/get/bejne/edNdrampm87bqp8.html) 📎 How wcifs Handles LINK_1 - [18:12](kzfaq.info/get/bejne/edNdrampm87bqp8.html) 🧩 How wcifs Handles WCI_1 - [20:08](kzfaq.info/get/bejne/edNdrampm87bqp8.html) 🗄 Handling Non-existent Files [21:25](kzfaq.info/get/bejne/edNdrampm87bqp8.html) 🕵 Reverse Engineer WCIFS [22:49](kzfaq.info/get/bejne/edNdrampm87bqp8.html) ⬆ Mini-filter Altitudes [25:29](kzfaq.info/get/bejne/edNdrampm87bqp8.html) 🚧 Bypass EDR Filters [27:17](kzfaq.info/get/bejne/edNdrampm87bqp8.html) 🔄 Create Undetectable Wiper [28:39](kzfaq.info/get/bejne/edNdrampm87bqp8.html) 🌐 Create Undetectable Ransomware [30:56](kzfaq.info/get/bejne/edNdrampm87bqp8.html) 🚫 Bypass Write Restrictions [32:24](kzfaq.info/get/bejne/edNdrampm87bqp8.html) 📊 ETW Log Misinformation [33:21](kzfaq.info/get/bejne/edNdrampm87bqp8.html) 🕵‍♂ Steal Data Stealthily [34:43](kzfaq.info/get/bejne/edNdrampm87bqp8.html) 🔐 Bypass File Protections [35:35](kzfaq.info/get/bejne/edNdrampm87bqp8.html) 🔍 Detect Suspicious Activity