Home

Awesome

xPipe Cobalt Strike BOF (x64)

Cobalt Strike Beacon Object File (BOF) to list active Pipes & return their Owner & Discretionary Access Control List (DACL) permissions.

https://github.com/xforcered/xPipe & https://github.com/boku7/xPipe

Usage

List All Local Active Pipes

To list all the pipes, simply run the xpipe command from Cobalt Strikes interactive beacon console after importing the xpipe.cna aggressor script.

beacon> xpipe
[*] xpipe (IBM X-Force Red|Bobby Cooke|@0xBoku)
\\.\pipe\InitShutdown
\\.\pipe\lsass
\\.\pipe\ntsvcs
\\.\pipe\scerpc
\\.\pipe\atsvc
++

Show Pipe Owner & DACL Permissions

To show the Owner & DACL permissions of a pipe, simply supply the pipe name as the first argument to the xpipe command.

beacon> xpipe \\.\pipe\lsass
[*] xpipe (IBM X-Force Red|Bobby Cooke|@0xBoku)
Pipe: \\.\pipe\lsass
Owner: Administrators\BUILTIN
Everyone
   + SYNCHRONIZE
   + READ_CONTROL
   + FILE_WRITE_DATA
   + FILE_READ_DATA
   + FILE_WRITE_ATTRIBUTES
   + FILE_READ_ATTRIBUTES
ANONYMOUS LOGON\NT AUTHORITY
   + SYNCHRONIZE
++

Compile with x64 MinGW:

x86_64-w64-mingw32-gcc xpipe.c -c -o xpipe.o -Os

Why I Created This?

Recently I have been exploring C2 channels using SMB/pipes and also dabbling in privilege escalation research. To better understand how windows pipes worked, I decided to create some projects. I personally find that getting my hands dirty with the windows APIs, debugging, and tinkering is the best way I learn.

To Do's

Detection & Mitigation

This BOF is for situational awareness. It does not perform any malicious behavior as of December 7th 2021. For detecting pipe enumeration for threat actors in their enumeration phase, it may be possible to detect attempts to query all named pipes which exist within \\.\pipe\*.

Credits & References

Cobalt Strike BOF Code Projects

Malware Dev Skill References

DACL Permissions Code Projects & References

Pipe Code Projects

Cobalt Strike - How to Develop a BOF

Raphael Mudge - Beacon Object Files - Luser Demo
Cobalt Strike - Beacon Object Files