Enumerating Services & Tasks
Here are some useful scripts to enumerate Services & Tasks.
PayloadAllTheThings
View Services & User that's running them
Get-WmiObject Win32_Service | Select-Object DisplayName, StartName
View Startup Services
PS C:\> Get-CimInstance Win32_StartupCommand | select Name, command, Location, User | fl
Startup Folders
dir /b "C:\Documents and Settings\All Users\Start Menu\Programs\Startup" 2>nul
dir /b "C:\Documents and Settings\%username%\Start Menu\Programs\Startup" 2>nul
dir /b "%programdata%\Microsoft\Windows\Start Menu\Programs\Startup" 2>nul
dir /b "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup" 2>nul
Get-ChildItem "C:\Users\All Users\Start Menu\Programs\Startup"
Get-ChildItem "C:\Users\$env:USERNAME\Start Menu\Programs\Startup"
PowerShell - List running Services
PS/> Get-Service
PS/> Get-WmiObject -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where { $_.PathName -notlike "C:\Windows*" }
| select Name,StartMode,PathName
PowerShell - List Scheduled Tasks
PS/> Get-ScheduledTask
PS/> tasklist
Emumerate Service DLL's.
We can view the DLL's a service loads calling it's process:
Get-Process -Name RemoteServerWin | Select-Object -Expand Property Modules | Select-Object FileName
Get-Process -Name RemoteServerWin | select -ExpandProperty modules | group -Property FileName | select name
Get-Process | where {$_.Id -eq 520} | select -ExpandProperty modules | group -Property FileName | select name
Get-Process -Id 520 | select -ExpandProperty modules | group -Property FileName | select name
(Get-Process -Name "msedge").Modules
Enumerating Permissions
In order for us to leverage autorun service and scheduled tasks to escalate privileges, we need to have write privileges on a process that is run as a escalated user.
First, we will see how we can use the icacls command to check the permissions of folder and file ACLs.
The permissions we are looking for on the folder are any one of the following three permissions:
(F) Full Control
(M) Modify
(W) Write The user / group permissions we are looking for are the following:
The user we are currently logged in as (%USERNAME%) Authenticated Users Everyone BUILTIN\Users NT AUTHORITY\INTERACTIVE
NOTE: Use BOTH of these tools!
icacls
PS/> icacls "C:\Program Files (x86)\Unified Remote 3"
accesschk64 - SysInternalsSuite
.\accesschk64.exe -wvud "C:\Users\Tom\AppData\Local\Microsoft\OneDrive" -accepteula
.\accesschk64.exe -wvud "C:\Program Files (x86)\Unified Remote 3" -accepteula
Last updated