all InfoSec news
Exploring Impersonation through the Named Pipe Filesystem Driver
Malware Analysis, News and Indicators - Latest topics malware.news
Introduction
Impersonation happens often natively in Windows, however, adversaries also use it to run code in the context of another user. Recently I was researching named pipe impersonation which naturally led me digging into the Win32 API ImpersonateNamedPipeClient. I had never really dug into how ImpersonateNamedPipeClient worked under the hood, so I wanted to do so. During analysis, I saw that a call to NtFsControlFile was made:
NtFsControlFile is a function that allows the caller to send a value …
adversaries api code context driver filesystem impersonation led run under win32 windows