all InfoSec news
Exploring Impersonation through the Named Pipe Filesystem Driver
Security Boulevard securityboulevard.com
Introduction
Impersonation happens often natively in Windows, however, adversaries also use it to run code in the context of another user. Recently I was researching named pipe impersonation which naturally led me digging into the Win32 API ImpersonateNamedPipeClient. I had never really dug into how ImpersonateNamedPipeClient worked under the hood, so I wanted to do so. During analysis, I saw that a call to NtFsControlFile was made:
NtFsControlFile is a function that allows the caller to send a value …
adversaries api code context driver filesystem impersonation introduction led research run under win32 windows