Staying Undetected Using the Windows Container Isolation Framework

Explore a DEF CON 31 conference presentation that delves into the Windows Container Isolation Framework and its potential security implications. Learn about the fundamentals of Windows Containers introduced in Windows Server 2016, including process and Hyper-V isolation modes. Understand how the file system separation works in containers, balancing system file access with storage efficiency. Through reverse engineering of the main mini-filter driver, discover how malicious actors could potentially manipulate this framework to bypass EDR (Endpoint Detection and Response) products. Gain insights into why this default Windows technology presents unique security challenges, particularly in its container escape prevention mechanisms. Access an open-source tool developed from the research findings and understand the broader implications for container security in modern Windows environments.