BOF - Lateral movement technique by abusing Windows Perception Simulation Service to achieve DLL hijacking

---

ServiceMove is a POC code for an interesting lateral movement technique by abusing Windows Perception Simulation Service to achieve DLL hijacking code execution.

A non-existing DLL file (i.e., hid.dll) will be loaded everytime when "Windows Perception Simulation Service" was started. By inserting a crafted DLL in "C:\Windows\System32\PerceptionSimulation" and starting the service remotely, we were able to achieve code execution as "NT AUTHORITY\SYSTEM" in a remote system.

The beauty of this technique is that it is relatively sleathy/OPSEC since it doesn't have the typical IOCs like other general lateral movement techniques (e.g., service creation/modification, scheduled task creation). All it will do is just dropping a file to remote system and starting a service remotely.

Limitation

Windows 10 1809 or above only

Common Line Usage

Version: 1.0
Author: Chris Au
Twitter: @netero_1010
Github: @netero1010

===General use===  
Command: bof-servicemove target /root/hid.dll  

===Force mode===  
Description: restart the service if the service is already running  
Command: bof-servicemove target /root/hid.dll force

===Cleanup mode===  
Description: stop the service if running and delete the DLL payload file  
Command: bof-servicemove target cleanup

Compile

make

Export Functions for "hid.dll"

Ref to exports_function_hid.txt

Demo