Exploring Impersonation through the Named Pipe Filesystem Driver

property
value
tags
driver-exploit,mandiant,named-pipes,ttp-impersonation
url
original_word_count
1918

Article Excerpt

Impersonation happens often natively in Windows, however, adversaries also use it to run code in the context of another user. Recently I was researching named pipe impersonation which naturally led me digging into the Win32 API ImpersonateNamedPipeClient.

Long Summary

This article explores the concept of impersonation through the Named Pipe Filesystem Driver (npfs.sys). It explains the architecture of drivers, control codes, and other related concepts, and how they are used to interact with drivers. It also explains the functions DeviceIoControl and NtfsControlFile, which are used to send input/output control codes (IOCTLs) to drivers. NtfsControlFile is used to send FSCTL codes to file system drivers, and DeviceIoControl is used for normal device drivers.

The article then explains the Win32 API ImpersonateNamedPipeClient, which allows a named pipe server to impersonate the token of client processes connecting to the server’s named pipe. It also explains the CTL_CODE macro, which is used to parse out the FSCTL code 0x11001C, which is used by ImpersonateNamedPipeClient. This code is sent to the NpFs driver object, which then calls the NpCommonFileSystemControl function. This function checks the FSCTL code and executes an internal function, in this case NpImpersonate, which calls SeImpersonateClientEx and PsImpersonateClient to impersonate the token of the thread that is connecting to the named pipe.

The article then provides a proof of concept for calling NtfsControlFile directly to perform named pipe impersonation instead of calling the Win32 API, ImpersonateNamedPipeClient. It also explains the function flow of the proof of concept, and provides a link to the code on GitHub.

The article then moves on to discuss the Windows Filtering Platform (WFP), which is a kernel-mode driver that provides a framework for filtering network traffic. It explains how WFP can be used to capture information about file system activity, such as file system requests, file system responses, and file system events. It also covers the use of ETW to capture information about file system activity, such as file system requests, file system responses, and file system events.

In conclusion, this article provides an overview of how to capture information about file system activity from both a driver perspective and an ETW perspective. It covers the IO Manager, IO Control Codes, FSC codes, WFP, and ETW. It also provides resources for further learning and a thank you to Yarden Shafir for providing resources and inspiration. This article provides

Short Summary

πŸ““ Exploring Impersonation through the Named Pipe Filesystem Driver

πŸ‘‰πŸ½ Impersonation happens often natively in Windows, however, adversaries also use it to run code in the context of another user. Recently I was researching named pipe impersonation which naturally led me digging into the Win32 API ImpersonateNamedPipeClient. an overview of the following topics:

πŸ‘‰πŸ½ Impersonation through npfs.sys πŸ‘‰πŸ½ Architecture of drivers and control codes πŸ‘‰πŸ½ DeviceIoControl and NtfsControlFile functions πŸ‘‰πŸ½ Win32 API ImpersonateNamedPipeClient πŸ‘‰πŸ½ CTL_CODE macro and FSCTL code 0x11001C πŸ‘‰πŸ½ NpCommonFileSystemControl function πŸ‘‰πŸ½ Proof of concept for named pipe impersonation πŸ‘‰πŸ½ Windows Filtering Platform (WFP) πŸ‘‰πŸ½ Capturing information about file system activity with WFP and ETW πŸ‘‰πŸ½ Resources for further learning and acknowledgement of Yarden Shafir.

#Impersonation #NamedPipe #IOCTL #WFP #ETW