netero1010/ServiceMove-BOF netero1010/ServiceMove-BOF

  • Stars
    star
    277
  • Rank 143,802 (Top 3 %)
  • Language
    C
  • Created over 2 years ago
  • Updated about 2 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
netero1010/ServiceMove-BOF
github

netero1010

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

New lateral movement technique by abusing Windows Perception Simulation Service to achieve DLL hijacking code execution.

BOF - Lateral movement technique by abusing Windows Perception Simulation Service to achieve DLL hijacking

ServiceMove is a POC code for an interesting lateral movement technique by abusing Windows Perception Simulation Service to achieve DLL hijacking code execution.

A non-existing DLL file (i.e., hid.dll) will be loaded everytime when "Windows Perception Simulation Service" was started. By inserting a crafted DLL in "C:\Windows\System32\PerceptionSimulation" and starting the service remotely, we were able to achieve code execution as "NT AUTHORITY\SYSTEM" in a remote system.

The beauty of this technique is that it is relatively sleathy/OPSEC since it doesn't have the typical IOCs like other general lateral movement techniques (e.g., service creation/modification, scheduled task creation). All it will do is just dropping a file to remote system and starting a service remotely.

Limitation

Windows 10 1809 or above only

Common Line Usage

Version: 1.0
Author: Chris Au
Twitter: @netero_1010
Github: @netero1010

===General use===  
Command: bof-servicemove target /root/hid.dll  

===Force mode===  
Description: restart the service if the service is already running  
Command: bof-servicemove target /root/hid.dll force

===Cleanup mode===  
Description: stop the service if running and delete the DLL payload file  
Command: bof-servicemove target cleanup

Compile

make

Export Functions for "hid.dll"

Ref to exports_function_hid.txt

Demo

HowTo

More Repositories

1

EDRSilencer

A tool uses Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server.
C
824
star
2

GhostTask

A tool employs direct registry manipulation to create scheduled tasks without triggering the usual event logs.
C
412
star
3

ScheduleRunner

A C# tool with more flexibility to customize scheduled task for both persistence and lateral movement in red team operation
C#
314
star
4

RDPHijack-BOF

Cobalt Strike Beacon Object File (BOF) that uses WinStationConnect API to perform local/remote RDP session hijacking.
C
264
star
5

TrustedPath-UACBypass-BOF

Cobalt Strike beacon object file implementation for trusted path UAC bypass. The target executable will be called without involving "cmd.exe" by using DCOM object.
C
112
star
6

Quser-BOF

Cobalt Strike BOF for quser.exe implementation using Windows API
C
85
star
7

ClipboardHistoryThief

POC tool to extract all persistent clipboard history data from clipboard service process memory
C
36
star
8

Vulnerability-Disclosure

3
star