• Stars
    star
    256
  • Rank 159,219 (Top 4 %)
  • Language
    C
  • Created over 4 years ago
  • Updated over 4 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Print Spooler Named Pipe Impersonation for Cobalt Strike

SpoolSystem

SpoolSystem is a CNA script for Cobalt Strike which uses @itm4n's Print Spooler named pipe impersonation trick to gain SYSTEM privileges without creating any new process or relying on cross-process shellcode injection (if the selfinject method is used).

Running

The script supports two modes:

  • selfinject: this is the one you probably want to use. It triggers the spoolss RPC method via self-injection within the current process. This is the best option for OPSEC, but ideally should be done in a process you don't mind crashing (just incase).
  • spawn: this uses bdllspawn to trigger the spoolss RPC method, so launches another process (not as good for OPSEC)

Both modes allow a user with only SeImpersonatePrivilege to gain SYSTEM privileges within the current beacon session. This is useful if you have a privilege escalation that gives you LOCAL SERVICE, NETWORK SERVICE or similar, or for cases where SeDebugPrivilege has been removed. However it can also be used as a drop-in replacement for getsystem.

Example

example

References