Abusing Windows Container Isolation Framework | by Manubhav Sharma | Sep, 2023 |>
– Manubhav Sharma
At the DEF CON hacking conference, researcher Daniel Avinoam demonstrated how attackers can exploit the Windows Container Isolation Framework to bypass endpoint security solutions. This article explores the lesser-known aspects of Windows container isolation and how attackers can manipulate it to evade detection. Windows Containers, introduced by Microsoft, provide efficient resource utilization and security by isolating processes. The two isolation modes are Process Isolation Mode and Hyper-V Isolation Mode. The article delves into the mechanics of containers, escaping containers intentionally to bypass security tools, and the default framework of Windows Containers. It also explains the underlying mechanisms of the Windows Container Isolation Framework, such as job objects, silos, file system redirection, and container file system separation. The article highlights the importance of the Windows Container Isolation FS mini-filter driver in file system separation and how it can be exploited for security evasion. It discusses various tactics attackers can employ, including bypassing ransomware/wiper detection, DLP bypass, ETW-based correlations bypass, and CreateProcessNotifyRoutine bypass. To mitigate these threats, security vendors can implement measures such as reparse point detection, communication port analysis, container analysis, and driver attachment monitoring. The article concludes by emphasizing the need for security professionals to understand the Windows Container Isolation Framework to defend against potential attacks.
Link: https://medium.com/@letshackit/abusing-windows-container-isolation-framework-6d4957b71bd7