Skip to content
/ xPipe Public

Cobalt Strike BOF to list Windows Pipes & return their Owners & DACL Permissions

License

Notifications You must be signed in to change notification settings

boku7/xPipe

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

30 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

xPipe Cobalt Strike BOF (x64)

Cobalt Strike Beacon Object File (BOF) to list active Pipes & return their Owner & Discretionary Access Control List (DACL) permissions.

https://github.com/xforcered/xPipe & https://github.com/boku7/xPipe

Usage

List All Local Active Pipes

To list all the pipes, simply run the xpipe command from Cobalt Strikes interactive beacon console after importing the xpipe.cna aggressor script.

beacon> xpipe
[*] xpipe (IBM X-Force Red|Bobby Cooke|@0xBoku)
\\.\pipe\InitShutdown
\\.\pipe\lsass
\\.\pipe\ntsvcs
\\.\pipe\scerpc
\\.\pipe\atsvc
++

Show Pipe Owner & DACL Permissions

To show the Owner & DACL permissions of a pipe, simply supply the pipe name as the first argument to the xpipe command.

  • If you lack permissions to query the pipe, the BOF will timeout after 5 seconds and return thread control to the operator.
beacon> xpipe \\.\pipe\lsass
[*] xpipe (IBM X-Force Red|Bobby Cooke|@0xBoku)
Pipe: \\.\pipe\lsass
Owner: Administrators\BUILTIN
Everyone
   + SYNCHRONIZE
   + READ_CONTROL
   + FILE_WRITE_DATA
   + FILE_READ_DATA
   + FILE_WRITE_ATTRIBUTES
   + FILE_READ_ATTRIBUTES
ANONYMOUS LOGON\NT AUTHORITY
   + SYNCHRONIZE
++

Compile with x64 MinGW:

x86_64-w64-mingw32-gcc xpipe.c -c -o xpipe.o -Os
  • Only tested from macOS

Why I Created This?

Recently I have been exploring C2 channels using SMB/pipes and also dabbling in privilege escalation research. To better understand how windows pipes worked, I decided to create some projects. I personally find that getting my hands dirty with the windows APIs, debugging, and tinkering is the best way I learn.

To Do's

  • For pipes which we don't have access to query, the BOF will just timeout after 5 seconds. Create error handler which checks if access was denied and return error code to operator. As of now it will just timeout after 5 seconds and return nothing.
  • Code cleanup, make sure there are no leaks and handles are closed, etc.
  • Update the pipelist() function use the same CS beacon print formatting as the getPipeACL() function. Its cleaner and less prone to errors.

Detection & Mitigation

This BOF is for situational awareness. It does not perform any malicious behavior as of December 7th 2021. For detecting pipe enumeration for threat actors in their enumeration phase, it may be possible to detect attempts to query all named pipes which exist within \\.\pipe\*.

Credits & References

Cobalt Strike BOF Code Projects

  • trustedsec/CS-Situational-Awareness-BOF/src/SA/cacls/
    • The code for the getPipeACL() function is derived from TrustedSecs awesome work from the CACL BOF project.
  • EspressoCake/HandleKatz_BOF
    • This project taught me how to use Cobalt Strikes beacon output formatting APIs and output text to beacon with BeaconOutput(). This is great because it makes the text display in the CS GUI so much cleaner. The code to make this happen is pulled from this project.

Malware Dev Skill References

DACL Permissions Code Projects & References

Pipe Code Projects

Cobalt Strike - How to Develop a BOF

Raphael Mudge - Beacon Object Files - Luser Demo
Cobalt Strike - Beacon Object Files

About

Cobalt Strike BOF to list Windows Pipes & return their Owners & DACL Permissions

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published