Enumerating Services & Tasks
Here are some useful scripts to enumerate Services & Tasks.
PayloadAllTheThings
View Services & User that's running them
Get-WmiObject Win32_Service | Select-Object DisplayName, StartNameView Startup Services
PS C:\> Get-CimInstance Win32_StartupCommand | select Name, command, Location, User | flStartup Folders
dir /b "C:\Documents and Settings\All Users\Start Menu\Programs\Startup" 2>nul
dir /b "C:\Documents and Settings\%username%\Start Menu\Programs\Startup" 2>nul
dir /b "%programdata%\Microsoft\Windows\Start Menu\Programs\Startup" 2>nul
dir /b "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup" 2>nul
Get-ChildItem "C:\Users\All Users\Start Menu\Programs\Startup"
Get-ChildItem "C:\Users\$env:USERNAME\Start Menu\Programs\Startup"PowerShell - List running Services
PS/> Get-ServicePS/> Get-WmiObject -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where { $_.PathName -notlike "C:\Windows*" }
| select Name,StartMode,PathNamePowerShell - List Scheduled Tasks
PS/> Get-ScheduledTaskPS/> tasklistEmumerate Service DLL's.
We can view the DLL's a service loads calling it's process:
Get-Process -Name RemoteServerWin | Select-Object -Expand Property Modules | Select-Object FileName
Get-Process -Name RemoteServerWin | select -ExpandProperty modules | group -Property FileName | select name
Get-Process | where {$_.Id -eq 520} | select -ExpandProperty modules | group -Property FileName | select name
Get-Process -Id 520 | select -ExpandProperty modules | group -Property FileName | select name
(Get-Process -Name "msedge").ModulesEnumerating Permissions
In order for us to leverage autorun service and scheduled tasks to escalate privileges, we need to have write privileges on a process that is run as a escalated user.
First, we will see how we can use the icacls command to check the permissions of folder and file ACLs.
The permissions we are looking for on the folder are any one of the following three permissions:
(F) Full Control
(M) Modify
(W) Write The user / group permissions we are looking for are the following:
The user we are currently logged in as (%USERNAME%) Authenticated Users Everyone BUILTIN\Users NT AUTHORITY\INTERACTIVE
NOTE: Use BOTH of these tools!
icacls
PS/> icacls "C:\Program Files (x86)\Unified Remote 3"accesschk64 - SysInternalsSuite
.\accesschk64.exe -wvud "C:\Users\Tom\AppData\Local\Microsoft\OneDrive" -accepteula
.\accesschk64.exe -wvud "C:\Program Files (x86)\Unified Remote 3" -accepteulaLast updated