Cobalt Strike BOF to list Windows Pipes & return their Owners & DACL Permissions

Related tags

Miscellaneous xPipe
Overview

xPipe Cobalt Strike BOF (x64)

Cobalt Strike Beacon Object File (BOF) to list active Pipes & return their Owner & Discretionary Access Control List (DACL) permissions.

https://github.com/xforcered/xPipe & https://github.com/boku7/xPipe

Usage

List All Local Active Pipes

To list all the pipes, simply run the xpipe command from Cobalt Strikes interactive beacon console after importing the xpipe.cna aggressor script.

beacon> xpipe
[*] xpipe (IBM X-Force Red|Bobby Cooke|@0xBoku)
\\.\pipe\InitShutdown
\\.\pipe\lsass
\\.\pipe\ntsvcs
\\.\pipe\scerpc
\\.\pipe\atsvc
++

Show Pipe Owner & DACL Permissions

To show the Owner & DACL permissions of a pipe, simply supply the pipe name as the first argument to the xpipe command.

  • If you lack permissions to query the pipe, the BOF will timeout after 5 seconds and return thread control to the operator.
beacon> xpipe \\.\pipe\lsass
[*] xpipe (IBM X-Force Red|Bobby Cooke|@0xBoku)
Pipe: \\.\pipe\lsass
Owner: Administrators\BUILTIN
Everyone
   + SYNCHRONIZE
   + READ_CONTROL
   + FILE_WRITE_DATA
   + FILE_READ_DATA
   + FILE_WRITE_ATTRIBUTES
   + FILE_READ_ATTRIBUTES
ANONYMOUS LOGON\NT AUTHORITY
   + SYNCHRONIZE
++

Compile with x64 MinGW:

x86_64-w64-mingw32-gcc xpipe.c -c -o xpipe.o -Os
  • Only tested from macOS

Why I Created This?

Recently I have been exploring C2 channels using SMB/pipes and also dabbling in privilege escalation research. To better understand how windows pipes worked, I decided to create some projects. I personally find that getting my hands dirty with the windows APIs, debugging, and tinkering is the best way I learn.

To Do's

  • For pipes which we don't have access to query, the BOF will just timeout after 5 seconds. Create error handler which checks if access was denied and return error code to operator. As of now it will just timeout after 5 seconds and return nothing.
  • Code cleanup, make sure there are no leaks and handles are closed, etc.
  • Update the pipelist() function use the same CS beacon print formatting as the getPipeACL() function. Its cleaner and less prone to errors.

Detection & Mitigation

This BOF is for situational awareness. It does not perform any malicious behavior as of December 7th 2021. For detecting pipe enumeration for threat actors in their enumeration phase, it may be possible to detect attempts to query all named pipes which exist within \\.\pipe\*.

Credits & References

Cobalt Strike BOF Code Projects

  • trustedsec/CS-Situational-Awareness-BOF/src/SA/cacls/
    • The code for the getPipeACL() function is derived from TrustedSecs awesome work from the CACL BOF project.
  • EspressoCake/HandleKatz_BOF
    • This project taught me how to use Cobalt Strikes beacon output formatting APIs and output text to beacon with BeaconOutput(). This is great because it makes the text display in the CS GUI so much cleaner. The code to make this happen is pulled from this project.

Malware Dev Skill References

DACL Permissions Code Projects & References

Pipe Code Projects

Cobalt Strike - How to Develop a BOF

Raphael Mudge - Beacon Object Files - Luser Demo
Cobalt Strike - Beacon Object Files
Owner
Bobby Cooke
OSWE | eWPTX | OSCE | eCXD | OSCP | SLAE32|64
Bobby Cooke
Cobalt Strike Beacon Object File (BOF) that uses handwritten shellcode to return the process Environment strings without touching any DLL's.

Cobalt Strike "Where Am I?" Beacon Object File Cobalt Strike Beacon Object File (BOF) that uses handwritten shellcode to return the process Environmen

Bobby Cooke 86 Jun 15, 2022
Cobalt Strike Beacon Object File (BOF) that takes the name of of a PE file as an argument and spawns the process in a suspended state

Beacon Object File (BOF) that spawns an arbitrary process from beacons memory. Supports Parent Process ID (PPID) spoofing & blocking non-MS signed DLLs from loading into the processes memory (some EDR DLLs).

boku 329 Jun 27, 2022
Cobalt Strike BOF - Bypass AMSI in a remote process with code injection.

Cobalt Strike BOF - Inject AMSI Bypass Cobalt Strike Beacon Object File (BOF) that bypasses AMSI in a remote process with code injection. Running inje

boku 292 Jun 24, 2022
A list of excellent resources for anyone to deepen their understanding with regards to Windows Kernel Exploitation and general low level security.

WinKernel-Resources A list of excellent resources for anyone trying to deepen their understanding with regards to Windows Kernel Exploitation and gene

Vector Security 36 May 30, 2022
Free,Open-Source,Cross-platform agent and Post-exploiton tool written in Golang and C++, the architecture and usage like Cobalt Strike

Khepri Free,Open-Source,Cross-platform agent and Post-exploiton tool written in Golang and C++ Description Khepri is a Cross-platform agent, the archi

Young 1.3k Jun 24, 2022
Collection of BOFs for Cobalt Strike

Collection of BOFs for Cobalt Strike

null 22 Jun 20, 2022
Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities.

Cobalt Strike User-Defined Reflective Loader Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities. B

Bobby Cooke 699 Jun 19, 2022
Cobalt Strike beacon object file implementation for trusted path UAC bypass. The target executable will be called without involving

Beacon object file implementation for trusted path UAC bypass. The target executable will be called without involving "cmd.exe" by using DCOM object.

Chris Au 75 Jun 15, 2022
EVA3: using hellsgate in EVA to get the syscalls [tested with cobalt strike 4.3]

EVA3: using hellsgate in EVA to get the syscalls [tested with cobalt strike 4.3] note that i dont claim that the idea is mine, this repo is probably

null 28 Jun 10, 2022
Undetectable Loader for Cobalt Strike Using Syscalls And A External Shellcode

Hellsgate Undetectable Loader for Cobalt Strike Using Syscalls And A External Shellcode Features: Using Syscalls from Hellsgate tech loading the shell

JUICY 21 Nov 5, 2021
Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as "adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors".

COBALT STRIKE 4.4 Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as "adversary simulation software designed to exe

Trewis [work] Scotch 81 Jun 19, 2022
A Visual Studio template used to create Cobalt Strike BOFs

Introduction Cobalt Strike beacon object files (BOFs) is a feature that added to the beacon in order to allow rapid beacon extendibility in a more OPS

Securify 137 Jun 23, 2022
Load and execute COFF files and Cobalt Strike BOFs in-memory

COFFLoader2 This repo contains the source code of a Common Object File Format (COFF) loader, which is a rewrite of the research and implementation don

Yasser 109 Jun 27, 2022
BokuLoader - Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities.

BokuLoader - Cobalt Strike Reflective Loader Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities. B

Bobby Cooke 706 Jun 24, 2022
This repository is meant to host the core files needed to create a Beacon Object File for use with Cobalt Strike

BOF Template This repository is meant to host the core files needed to create a Beacon Object File for use with Cobalt Strike. A Beacon Object File (B

Cobalt Strike 28 Jun 18, 2022
anthemtotheego 323 Jun 18, 2022
Techniques based on named pipes for pool overflow exploitation targeting the most recent (and oldest) Windows versions

Table of Contents Table of Contents Introduction Named-Pipes Introduction Exploitation Spraying the non-paged pool Memory Disclosure/Arbitrary Read Co

null 132 Jun 10, 2022
This project helps a person park their car in their garage in the same place every time.

garage-parking-sensor Description This project is developed to help a person park their car in their garage in the same place every time. Normally peo

Calvin Pereira 2 Sep 13, 2021
32Kb, small memory footprint, single binary that run list of commands in parallel and waits for their termination

await 32K, small memory footprint, single binary that run list of commands in parallel and waits for their termination documentation linux install cur

Slava 52 Jun 24, 2022