There are a number of ways we can find a suitable file, such as using the SysInternals AccessChk utility, but to be 100% certain that the Storage Service’s token can modify the file we’ll use my NtObjectManager PowerShell module (specifically its Get-AccessibleFile cmdlet, which accepts a process to do the access check from). We don’t care about the file’s extension as AddAgent only checks that the file exists and loads it with LoadLibraryEx. Also we’d want to pick a file that won’t cause the OS install to become corrupt. ![]() We need to find a file we can write to which isn’t owned by TrustedInstaller. The majority of files in SYSTEM32 are actually owned by the TrustedInstaller group and so cannot be modified, even by Local System. Therefore we can modify a file in SYSTEM32, then use the DiagHub service to load it. ![]() By exploiting this we can modify the security of any file that Local System can access for WRITE_DAC access.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |