Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/rxwx/spoolsystem
Print Spooler Named Pipe Impersonation for Cobalt Strike
https://github.com/rxwx/spoolsystem
cna
Last synced: 21 days ago
JSON representation
Print Spooler Named Pipe Impersonation for Cobalt Strike
- Host: GitHub
- URL: https://github.com/rxwx/spoolsystem
- Owner: rxwx
- Created: 2020-06-13T11:24:20.000Z (over 4 years ago)
- Default Branch: main
- Last Pushed: 2020-06-13T11:50:44.000Z (over 4 years ago)
- Last Synced: 2024-08-05T17:23:59.766Z (4 months ago)
- Topics: cna
- Language: C
- Homepage:
- Size: 2.08 MB
- Stars: 254
- Watchers: 9
- Forks: 36
- Open Issues: 1
-
Metadata Files:
- Readme: Readme.md
Awesome Lists containing this project
- awesome-hacking-lists - rxwx/spoolsystem - Print Spooler Named Pipe Impersonation for Cobalt Strike (C)
README
# SpoolSystem
SpoolSystem is a CNA script for Cobalt Strike which uses @itm4n's Print Spooler named pipe impersonation trick to gain SYSTEM privileges without creating any new process or relying on cross-process shellcode injection (if the `selfinject` method is used).
## Running
The script supports two modes:
* selfinject: this is the one you probably want to use. It triggers the spoolss RPC method via self-injection within the current process. This is the best option for OPSEC, but ideally should be done in a process you don't mind crashing (just incase).
* spawn: this uses `bdllspawn` to trigger the spoolss RPC method, so launches another process (not as good for OPSEC)Both modes allow a user with only `SeImpersonatePrivilege` to gain SYSTEM privileges within the current beacon session. This is useful if you have a privilege escalation that gives you `LOCAL SERVICE`, `NETWORK SERVICE` or similar, or for cases where `SeDebugPrivilege` has been removed. However it can also be used as a drop-in replacement for `getsystem`.
## Example
![example](spoolsystem.gif)
## References
* https://github.com/itm4n/PrintSpoofer
* https://itm4n.github.io/printspoofer-abusing-impersonate-privileges/
* https://github.com/leechristensen/SpoolSample