Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/rxwx/spoolsystem

Print Spooler Named Pipe Impersonation for Cobalt Strike
https://github.com/rxwx/spoolsystem

cna

Last synced: 21 days ago
JSON representation

Print Spooler Named Pipe Impersonation for Cobalt Strike

Awesome Lists containing this project

README

        

# SpoolSystem

SpoolSystem is a CNA script for Cobalt Strike which uses @itm4n's Print Spooler named pipe impersonation trick to gain SYSTEM privileges without creating any new process or relying on cross-process shellcode injection (if the `selfinject` method is used).

## Running

The script supports two modes:

* selfinject: this is the one you probably want to use. It triggers the spoolss RPC method via self-injection within the current process. This is the best option for OPSEC, but ideally should be done in a process you don't mind crashing (just incase).
* spawn: this uses `bdllspawn` to trigger the spoolss RPC method, so launches another process (not as good for OPSEC)

Both modes allow a user with only `SeImpersonatePrivilege` to gain SYSTEM privileges within the current beacon session. This is useful if you have a privilege escalation that gives you `LOCAL SERVICE`, `NETWORK SERVICE` or similar, or for cases where `SeDebugPrivilege` has been removed. However it can also be used as a drop-in replacement for `getsystem`.

## Example

![example](spoolsystem.gif)

## References

* https://github.com/itm4n/PrintSpoofer
* https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/
* https://github.com/leechristensen/SpoolSample