Skip to content

RP2002: Privilege escalation via named pipe impersonation

Summary

ID RP2002
Brief Description Response playbook for detected "Privilege escalation via named pipe impersonation" activity.
Author @Cyberok
Creation Date 2023/02/03
Modification Date 2023/04/23
Tags
  • Status: Stable
  • Severity:High
  • Tlp: Amber
  • Pap: White
  • Windows
Usecases

Description

Identifie a privilege escalation attempt via named pipe impersonation. An adversary may abuse this technique by utilizing a framework such Metasploit’s meterpreter getsystem command.

Workflow

WORKFLOW

For better triage and response actions result you need to identify and analyze artifacts from use case.

  1. List newly created pipes on the host, look for named pipes. You can use powershell comand from usecase. Though if privelege escalation were made with automated tools with evasion techniques it is hard to find the searchable pipe.
  2. Build and analyse "process tree" (different child and parent processes). List processes executed by found dll or by one of it's child processes. Build timeline and filter interested events connected with discovered artifacts. Look for any processes spawned by any handle from earlier found pipes.
  3. Especially examine events with action started for services. Look for specific values like "Cmd.Exe" OR "PowerShell.EXE" in PE original file name with agruments like "echo" OR ">" OR "\\.\pipe\" *
  4. Take any containment action depending on the situation and level of asset's criticality, for example if privilege escalation suspected to be succesfull, initiate procedure to block compromised users and revoke their authentication credentials:
    • Lock user account
  5. Take any eradication action depending on the situation and level of asset's criticality, for example credential can be used as arguments to malicous commands:
    • Revoke authentication credentials
  6. Take recovery action depending on previous containment and eradication actions:
    • Unblock blocked user (if needed)
    • Change user's credential
  7. Collect artifacts of investigated attack to examine attacker's next goals and moves.
  8. Report incident, remove security breaches, conduct lessons learned exercises.

Response discovery mapping

ARTIFACT RESPONSE ACTION RESPONSE ACTION OBSERVABLES
Pipe List new created/modified pipes
Look for suspicious named pipes.		 Possible token impersonation
Process Identify impacted sevices
List processes executed
Find process by executable content pattern
Obviously in case of privilege escalation we need to find what process were launched with violations.		 Procces launched under Impersonated token context
Access token Examine content
Explore context of found process, if child process has any other user's context it may be privelege escalation indicator.		 User's compromised credentials

P.S. Artifacts from "Attack Prerequisites" section ( in this case : Host ) should be used in Operational Preparations and as incoming arguments for other response actions, for example

response action: list processes executed 
List_processes_executed (enabled=True, host)

Response mindmap diagram

Mindmap

Playbook Actions

Preparation

Operational Preparations

Identification

List Data Transferred
Identify impacted services
List Processes Executed
Find Process By Executable Content Pattern
Examine Content

Containment

Lock User Account
Powershell disable AD user

Eradication

Reset Authentication Credentials
Revoke Authentication Credentials

Recovery

Unlock Locked User Account
Powershell enable AD user

Lessons Learned

Develop Incident Report
Conduct Lessons Learned Exercise

Artifacts