UC0021: Privilege escalation via named pipe impersonation
Summary
| ID | UC0021 |
|---|---|
| Brief Description | Privilege escalation attempt via named pipe impersonation, an adversary may abuse this technique by utilizing a framework such Metasploit’s meterpreter getsystem command. |
| Author | @Cyberok |
| Creation Date | 2023/02/28 |
| Modification Date | 2023/02/28 |
| ATT&CK Techniques | |
| Tags |
|
| Linked Response Playbooks | |
| Artifacts |
Description
A pipe is a block of shared memory that processes can use for communication and data exchange. Named Pipes is a Windows mechanism that enables two unrelated processes to exchange data between themselves, even if the processes are located on two different networks. It's very similar to client/server architecture as notions such as a named pipe server and a named pipe client exist.
An adversary may abuse Privilege escalation attempt via named pipe impersonation by utilizing a framework such Metasploit’s meterpreter getsystem command. Attack mechanism is described in details below.
Attack mapping
| ARTIFACT | OBJECT | DESCRIPTION |
|---|---|---|
| Attack Prerequisites | ||
| Host | Compromised host | A host to which an attacker has a primal unprivileged access |
| Privileged User Account | Privileged user | Any account in domain found on any previous stages of attack, which has "domain administrator" privileges or any other "special rights" |
| Side Observables | ||
| Pipe | Named pipe | A named pipe server can open a named pipe with some predefined name and then a named pipe client can connect to that pipe via the known name |
| Access Token | Privileged user's authentication credential | These credentials used to obtain privileges of domain administrator |
Attack results
Get an access token of privileged user to spawn any processes.
| RESOURCE | DESCRIPTION |
|---|---|
| Attack Prerequisites | |
| Access | Compromised host with "unprivileged domain" access, attacker may be local administrator for example |
| Result Consequences | |
| Privileged access | Possibility to execute action with privileged access, for example "domain administrator" shell |
Attack progress
1) To successfully execute the attack an attacker needs to perform communication between "pipe server" and "pipe client".
Below image shows the named pipe server and named pipe client working as expected
Checking how the process maintains a handle to our named pipe mantvydas-first-pipe
Similary, we can see the client having an open handle to the named pipe
2) It is possible for the named pipe server to impersonate the named pipe client's security context by leveraging a ImpersonateNamedPipeClient API call which in turn changes the named pipe server's current thread's token with that of the named pipe client's token.
Running the server and connecting to it with the client that is running under administrator@alpha.local security context, we can see that the main thread of the named server pipe assumed the token of the named pipe client - ALPHA\administrator, although the PipeServer.exe itself is running under ALPHA\aegorov security context.
Possible usage
1) This technique allows to gain privileged shell.
Attack diagram
