ContainYourself: abuses the Windows containers framework to bypass EDRs

by do son · Published September 27, 2023 · Updated September 28, 2023

ContainYourself

A PoC of the ContainYourself research, presented on DEFCON 31. This tool abuses the Windows containers framework to bypass EDR file-system-based malware protection, file write restrictions, and ETW-based correlations.

This repo contains a static library that implements the research findings, a PoC tool that utilizes the library, and a wiper & ransomware project.

The use of containers became an integral part of any resource-efficient and secure environment. Starting from Windows Server 2016, Microsoft released its version of this solution called Windows Containers, which offers either a process or Hyper-V isolation modes.

In both cases, an efficient file system separation should be provided. On one hand, each container should be able to access system files and write changes that will not affect the host. On the other, copying the entire main volume on each container launch will be storage-inefficient and not practical.

Here are the two “isolation modes” a Windows container can run on:

Process Isolation Mode (also referred to as Windows Server containers): User-mode isolation where the container interacts with the host kernel directly. Each container instance is isolated from the host through namespaces and resource control. Think Linux containers.
Hyper-V Isolation Mode (also referred to as Hyper-V containers): Kernel-level isolation that provides each container with its own Hyper-V virtual machine. The presence of the virtual machine provides hardware-level isolation between each container as well as the container host.

In both cases, there should be efficient file system separation and each container should be able to access system files and write changes that will not affect the host. Copying the main volume for each container launch would be storage-inefficient and impractical.