Overview
Learn about a novel privilege escalation technique through a DEF CON 31 conference presentation that explores vulnerabilities in the Windows Filtering Platform (WFP). Discover how to execute programs as "NT AUTHORITY\SYSTEM" and other logged-on users by exploiting this built-in Windows component, which has been present since Windows Vista. Dive deep into reverse engineering of RPC methods, analysis of the Basic Filtering Engine, TCPIP driver, and IPSec protocol components. Understand how this evasive technique differs from traditional privilege escalation methods that rely on token duplication and service manipulation, while avoiding detection by conventional security algorithms. Gain insights into how WFP's network traffic processing and filtering capabilities can be leveraged for system compromise.
Syllabus
DEF CON 31 - #NoFilter Abusing Windows Filtering Platform for privilege escalation - Ron Ben Yizhak
Taught by
DEFCONConference