In the last post, I mentioned that one of the requirements for being able to perform token heist is to have a source process running with high-privilege context (such as administrator). This is because, by default, any process running with high-privilege context has SeDebubPrivilege and SeImpersonatePrivilege privileges which can be enabled and leveraged to steal a token.

What if we have a process running with low-privilege context but has SeImpersonatePrivilege? Can we still steal a token and leverage it to escalate privileges? Turns out the answer is, yes.

We already know that a process needs to have SeDebugPrivilege enabled to be able to access another process’s token. This is still true. But there’s another place we can get the token and it does not require SeDebugPrivilege. Named Pipes.

Named Pipe Token Heist exploits services running with elevated privileges that interact with lower-privileged processes over named pipes. Many Windows services operate with SYSTEM or Administrator privileges and may accept connections from unprivileged user processes via named pipes for inter-process communication (IPC). If the service uses the ImpersonateNamedPipeClient() function to impersonate the connecting client, an attacker with SeImpersonatePrivilege can create a rogue named pipe server, trick the privileged service into connecting, and force it to impersonate the attacker’s process. Once impersonation is established, the attacker can call OpenThreadToken() to retrieve the impersonation token assigned to the thread. If successful, this token can be duplicated using DuplicateTokenEx() and then used to launch a new process in the context of the higher-privileged user via CreateProcessWithTokenW(). Unlike direct process token theft, which typically requires SeDebugPrivilege to open a handle to a high-value process, named pipe token theft only requires SeImpersonatePrivilege.

The Sweet Potato and Rogue Potato attacks leverage Named Pipe Token Theft to escalate privileges by abusing the SeImpersonatePrivilege assigned to certain service accounts.

Red Team Notes
- Named Pipe Token Heist tricks a high-privileged service into impersonating the attacker via a rogue named pipe, enabling privilege escalation. This technique does not require administrator privileges.

Follow my journey of 100 Days of Red Team on WhatsApp, Telegram or Discord.