Communication with Processes

• 

Access Tokens

• https://docs.microsoft.com/en-us/windows/win32/secauthz/access-tokens
• 

Enumerating Network Services

• most common way people interact with processes is through a network socket (DNS, HTTP, SMB, etc.).
• we can find a service running only for localhost
• netstat -ano
• look for entries listening on loopback addresses (127.0.0.1 and ::1)
  • The reason for this is network sockets on localhost are often insecure due to the thought that "they aren't accessible to the network."
• The one that sticks out immediately will be port 14147, which is used for FileZilla's administrative interface. By connecting to this port, it may be possible to extract FTP passwords in addition to creating an FTP Share at c:\ as the FileZilla Server user (potentially Administrator).
• eg: Splunk Universal Forwarder Hijacking and SplunkWhisperer2.
  • Erlang-arce blogpost from Mubix
• 

Named Pipes

• 
• 

Pipelist - Listing Named Pipes

• https://docs.microsoft.com/en-us/sysinternals/downloads/pipelist
• List named pipes
  • pipelist.exe /accepteula
  • gci \\.\pipe\ - PowerShell
• Enum pipe permissions - Accesschk
  • accesschk.exe /accepteula \\.\Pipe\lsass -v
    • checking pipe permissions for LSASS
  • If named pipe in \\.\pipe\lsass use the whole path like above
  • If named pipe in \\.\pipe\SQLLocal\SQLExpress01,
    • accesschk.exe /accepteula \pipe\SQLLocal\SQLExpress01 -v

Named Pipes Attack Example

• This WindscribeService Named Pipe Privilege Escalation
• search all named pipes that allow write access
  • accesschk.exe -w \pipe\* -v
    • WindscribeService named pipe allows READ and WRITE access to the Everyone group