diff --git a/Methodology and Resources/Windows - Privilege Escalation.md b/Methodology and Resources/Windows - Privilege Escalation.md index e58e5e6..9677f30 100644 --- a/Methodology and Resources/Windows - Privilege Escalation.md +++ b/Methodology and Resources/Windows - Privilege Escalation.md @@ -868,38 +868,42 @@ Application running as SYSTEM allowing an user to spawn a CMD, or browse directo Example: "Windows Help and Support" (Windows + F1), search for "command prompt", click on "Click to open Command Prompt" + ## EoP - Evaluating Vulnerable Drivers + Look for vuln drivers loaded, we often don't spend enough time looking at this: -```powershell -# Native binary -PS C:\Users\Swissky> driverquery.exe /fo table /si -Module Name Display Name Driver Type Link Date -============ ====================== ============= ====================== -1394ohci 1394 OHCI Compliant Ho Kernel 12/10/2006 4:44:38 PM -3ware 3ware Kernel 5/18/2015 6:28:03 PM -ACPI Microsoft ACPI Driver Kernel 12/9/1975 6:17:08 AM -AcpiDev ACPI Devices driver Kernel 12/7/1993 6:22:19 AM -acpiex Microsoft ACPIEx Drive Kernel 3/1/2087 8:53:50 AM -acpipagr ACPI Processor Aggrega Kernel 1/24/2081 8:36:36 AM -AcpiPmi ACPI Power Meter Drive Kernel 11/19/2006 9:20:15 PM -acpitime ACPI Wake Alarm Driver Kernel 2/9/1974 7:10:30 AM -ADP80XX ADP80XX Kernel 4/9/2015 4:49:48 PM - - -# https://github.com/matterpreter/OffensiveCSharp/tree/master/DriverQuery -PS C:\Users\Swissky> DriverQuery.exe --no-msft -[+] Enumerating driver services... -[+] Checking file signatures... -Citrix USB Filter Driver - Service Name: ctxusbm - Path: C:\Windows\system32\DRIVERS\ctxusbm.sys - Version: 14.11.0.138 - Creation Time (UTC): 17/05/2018 01:20:50 - Cert Issuer: CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US - Signer: CN="Citrix Systems, Inc.", OU=XenApp(ClientSHA256), O="Citrix Systems, Inc.", L=Fort Lauderdale, S=Florida, C=US - -``` +* [Living Off The Land Drivers](https://www.loldrivers.io/) is a curated list of Windows drivers used by adversaries to bypass security controls and carry out attacks. The project helps security professionals stay informed and mitigate potential threats. +* Native binary: DriverQuery.exe + ```powershell + PS C:\Users\Swissky> driverquery.exe /fo table /si + Module Name Display Name Driver Type Link Date + ============ ====================== ============= ====================== + 1394ohci 1394 OHCI Compliant Ho Kernel 12/10/2006 4:44:38 PM + 3ware 3ware Kernel 5/18/2015 6:28:03 PM + ACPI Microsoft ACPI Driver Kernel 12/9/1975 6:17:08 AM + AcpiDev ACPI Devices driver Kernel 12/7/1993 6:22:19 AM + acpiex Microsoft ACPIEx Drive Kernel 3/1/2087 8:53:50 AM + acpipagr ACPI Processor Aggrega Kernel 1/24/2081 8:36:36 AM + AcpiPmi ACPI Power Meter Drive Kernel 11/19/2006 9:20:15 PM + acpitime ACPI Wake Alarm Driver Kernel 2/9/1974 7:10:30 AM + ADP80XX ADP80XX Kernel 4/9/2015 4:49:48 PM + + ``` +* [matterpreter/OffensiveCSharp/DriverQuery](https://github.com/matterpreter/OffensiveCSharp/tree/master/DriverQuery) + ```powershell + PS C:\Users\Swissky> DriverQuery.exe --no-msft + [+] Enumerating driver services... + [+] Checking file signatures... + Citrix USB Filter Driver + Service Name: ctxusbm + Path: C:\Windows\system32\DRIVERS\ctxusbm.sys + Version: 14.11.0.138 + Creation Time (UTC): 17/05/2018 01:20:50 + Cert Issuer: CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US + Signer: CN="Citrix Systems, Inc.", OU=XenApp(ClientSHA256), O="Citrix Systems, Inc.", L=Fort Lauderdale, S=Florida, C=US + + ``` ## EoP - Printers