ch0ic3/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2024-12-18 18:36:10 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

LOL Drivers

Browse Source
This commit is contained in:
Swissky 2023-04-07 09:22:07 +02:00
parent 30d17b4924
commit 86cc53244d
1 changed files with 33 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

62
Methodology and Resources/Windows - Privilege Escalation.md
View File

@ -868,38 +868,42 @@ Application running as SYSTEM allowing an user to spawn a CMD, or browse directo
Example: "Windows Help and Support" (Windows + F1), search for "command prompt", click on "Click to open Command Prompt" Example: "Windows Help and Support" (Windows + F1), search for "command prompt", click on "Click to open Command Prompt"
## EoP - Evaluating Vulnerable Drivers ## EoP - Evaluating Vulnerable Drivers
Look for vuln drivers loaded, we often don't spend enough time looking at this: Look for vuln drivers loaded, we often don't spend enough time looking at this:
```powershell * [Living Off The Land Drivers](https://www.loldrivers.io/) is a curated list of Windows drivers used by adversaries to bypass security controls and carry out attacks. The project helps security professionals stay informed and mitigate potential threats.
# Native binary * Native binary: DriverQuery.exe
PS C:\Users\Swissky> driverquery.exe /fo table /si ```powershell
Module Name Display Name Driver Type Link Date PS C:\Users\Swissky> driverquery.exe /fo table /si
============ ====================== ============= ====================== Module Name Display Name Driver Type Link Date
1394ohci 1394 OHCI Compliant Ho Kernel 12/10/2006 4:44:38 PM ============ ====================== ============= ======================
3ware 3ware Kernel 5/18/2015 6:28:03 PM 1394ohci 1394 OHCI Compliant Ho Kernel 12/10/2006 4:44:38 PM
ACPI Microsoft ACPI Driver Kernel 12/9/1975 6:17:08 AM 3ware 3ware Kernel 5/18/2015 6:28:03 PM
AcpiDev ACPI Devices driver Kernel 12/7/1993 6:22:19 AM ACPI Microsoft ACPI Driver Kernel 12/9/1975 6:17:08 AM
acpiex Microsoft ACPIEx Drive Kernel 3/1/2087 8:53:50 AM AcpiDev ACPI Devices driver Kernel 12/7/1993 6:22:19 AM
acpipagr ACPI Processor Aggrega Kernel 1/24/2081 8:36:36 AM acpiex Microsoft ACPIEx Drive Kernel 3/1/2087 8:53:50 AM
AcpiPmi ACPI Power Meter Drive Kernel 11/19/2006 9:20:15 PM acpipagr ACPI Processor Aggrega Kernel 1/24/2081 8:36:36 AM
acpitime ACPI Wake Alarm Driver Kernel 2/9/1974 7:10:30 AM AcpiPmi ACPI Power Meter Drive Kernel 11/19/2006 9:20:15 PM
ADP80XX ADP80XX Kernel 4/9/2015 4:49:48 PM acpitime ACPI Wake Alarm Driver Kernel 2/9/1974 7:10:30 AM
<SNIP> ADP80XX ADP80XX Kernel 4/9/2015 4:49:48 PM
<SNIP>
# https://github.com/matterpreter/OffensiveCSharp/tree/master/DriverQuery ```
PS C:\Users\Swissky> DriverQuery.exe --no-msft * [matterpreter/OffensiveCSharp/DriverQuery](https://github.com/matterpreter/OffensiveCSharp/tree/master/DriverQuery)
[+] Enumerating driver services... ```powershell
[+] Checking file signatures... PS C:\Users\Swissky> DriverQuery.exe --no-msft
Citrix USB Filter Driver [+] Enumerating driver services...
Service Name: ctxusbm [+] Checking file signatures...
Path: C:\Windows\system32\DRIVERS\ctxusbm.sys Citrix USB Filter Driver
Version: 14.11.0.138 Service Name: ctxusbm
Creation Time (UTC): 17/05/2018 01:20:50 Path: C:\Windows\system32\DRIVERS\ctxusbm.sys
Cert Issuer: CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US Version: 14.11.0.138
Signer: CN="Citrix Systems, Inc.", OU=XenApp(ClientSHA256), O="Citrix Systems, Inc.", L=Fort Lauderdale, S=Florida, C=US Creation Time (UTC): 17/05/2018 01:20:50
<SNIP> Cert Issuer: CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US
``` Signer: CN="Citrix Systems, Inc.", OU=XenApp(ClientSHA256), O="Citrix Systems, Inc.", L=Fort Lauderdale, S=Florida, C=US
<SNIP>
```
## EoP - Printers ## EoP - Printers