Enumerating Services & Tasks

Here are some useful scripts to enumerate Services & Tasks.

PayloadAllTheThings

View Services & User that's running them

Get-WmiObject Win32_Service | Select-Object DisplayName, StartName

View Startup Services

PS C:\> Get-CimInstance Win32_StartupCommand | select Name, command, Location, User | fl

Startup Folders

dir /b "C:\Documents and Settings\All Users\Start Menu\Programs\Startup" 2>nul
dir /b "C:\Documents and Settings\%username%\Start Menu\Programs\Startup" 2>nul
dir /b "%programdata%\Microsoft\Windows\Start Menu\Programs\Startup" 2>nul
dir /b "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup" 2>nul
Get-ChildItem "C:\Users\All Users\Start Menu\Programs\Startup"
Get-ChildItem "C:\Users\$env:USERNAME\Start Menu\Programs\Startup"

PowerShell - List running Services

PS/> Get-Service
PS/> Get-WmiObject -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where { $_.PathName -notlike "C:\Windows*" } 
| select Name,StartMode,PathName

PowerShell - List Scheduled Tasks

PS/> Get-ScheduledTask
PS/> tasklist

Emumerate Service DLL's.

We can view the DLL's a service loads calling it's process:

Get-Process -Name RemoteServerWin | Select-Object -Expand Property Modules | Select-Object FileName

Get-Process -Name RemoteServerWin | select -ExpandProperty modules | group -Property FileName | select name


Get-Process | where {$_.Id  -eq 520} | select -ExpandProperty modules | group -Property FileName | select name
Get-Process -Id 520 | select -ExpandProperty modules | group -Property FileName | select name

(Get-Process -Name "msedge").Modules

Enumerating Permissions

In order for us to leverage autorun service and scheduled tasks to escalate privileges, we need to have write privileges on a process that is run as a escalated user.

First, we will see how we can use the icacls command to check the permissions of folder and file ACLs.

The permissions we are looking for on the folder are any one of the following three permissions:

(F) Full Control

(M) Modify

(W) Write The user / group permissions we are looking for are the following:

The user we are currently logged in as (%USERNAME%) Authenticated Users Everyone BUILTIN\Users NT AUTHORITY\INTERACTIVE

NOTE: Use BOTH of these tools!

icacls

PS/> icacls "C:\Program Files (x86)\Unified Remote 3"

accesschk64 - SysInternalsSuite

.\accesschk64.exe -wvud "C:\Users\Tom\AppData\Local\Microsoft\OneDrive" -accepteula

.\accesschk64.exe -wvud "C:\Program Files (x86)\Unified Remote 3" -accepteula

Last updated