Skip to content
/ spoolsystem Public

Print Spooler Named Pipe Impersonation for Cobalt Strike

258 stars 38 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

rxwx/spoolsystem

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
SpoolTrigger
SpoolTrigger
 
 
cna
cna
 
 
.gitignore
.gitignore
 
 
Readme.md
Readme.md
 
 
SpoolTrigger.sln
SpoolTrigger.sln
 
 
spoolsystem.gif
spoolsystem.gif
 
 

Repository files navigation

SpoolSystem

SpoolSystem is a CNA script for Cobalt Strike which uses @itm4n's Print Spooler named pipe impersonation trick to gain SYSTEM privileges without creating any new process or relying on cross-process shellcode injection (if the selfinject method is used).

Running

The script supports two modes:

  • selfinject: this is the one you probably want to use. It triggers the spoolss RPC method via self-injection within the current process. This is the best option for OPSEC, but ideally should be done in a process you don't mind crashing (just incase).
  • spawn: this uses bdllspawn to trigger the spoolss RPC method, so launches another process (not as good for OPSEC)

Both modes allow a user with only SeImpersonatePrivilege to gain SYSTEM privileges within the current beacon session. This is useful if you have a privilege escalation that gives you LOCAL SERVICE, NETWORK SERVICE or similar, or for cases where SeDebugPrivilege has been removed. However it can also be used as a drop-in replacement for getsystem.

Example

example

References

About

Print Spooler Named Pipe Impersonation for Cobalt Strike

Topics

cna

Resources

Readme
Activity

Stars

258 stars

Watchers

9 watching

Forks

38 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages