-
Notifications
You must be signed in to change notification settings - Fork 74
/
FileWrite2system.txt
51 lines (29 loc) · 1.63 KB
/
FileWrite2system.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
### 2023
C:\Windows\System32\spool\drivers\x64\3\Printconfig.dll
$type = [Type]::GetTypeFromCLSID("{854A20FB-2D44-457D-992F-EF13785D2B51}")
$object = [Activator]::CreateInstance($type)
https://github.com/blackarrowsec/redteam-research/tree/master/LPE%20via%20StorSvc
### no need to reboot to get NT AUTHORITY\SYSTEM ###
https://github.com/sailay1996/FileWrite2system
https://github.com/itm4n/UsoDllLoader
https://github.com/sailay1996/WerTrigger
https://github.com/OneLogicalMyth/zeroday-powershell
https://github.com/ionescu007/faxhell
something which I found
C:\Windows\System32\wpcoreutil.dll (Windows Insider service `wisvc` triggerd by Clicking Start Windows Insider Program)
C:\Windows\System32\phoneinfo.dll (Windows Problem Reporting service)
https://twitter.com/404death/status/1262670619067334656 (without reboot by @jonasLyk)
C:\Windows\System32\wbem\dxgi.dll ( windows security -> check for protection update)
C:\Windows\System32\wbem\tzres.dll (systeminfo, NetworkService)
https://twitter.com/404death/status/1275007088817631237
### Need to reboot to get NT AUTHORITY\SYSTEM (hijack dll) ###
C:\Windows\System32\wlbsctrl.dll (IKEEXT service)
C:\Windows\System32\wbem\wbemcomn.dll (IP Helper)
C:\Windows\System32\ualapi.dll (spooler service)
http://www.hexacorn.com/blog/2016/11/08/beyond-good-ol-run-key-part-50/
C:\Windows\System32\fveapi.dll (ShellHWDetection Service) @bohops
C:\Windows\System32\Wow64Log.dll (this dll loaded by other third party services such as GoogleUpdate.exe)
http://waleedassar.blogspot.com/2013/01/wow64logdll.html
I found something new
edgegdi.dll C:\Windows\System32
triggered by "Update-MpSignature"