#EQL to detect Local Privilege Escalation by unquoted service path: process where process_name:c\:\\program.* AND -process_name:c\:\\*\\* AND parent_name:services.exe AND user_name=="system" #threathunting
Umm- that method do not work any more, as a normal user can only make folders in the root. In addition HIGH privelegie is needed to write to files.
-
-
I have an idea for bypassing all that though I want to test next time I see it. The thing is....APPX reparse points can be set on folders alternative data streams- that will redirect execution to another exe. And a reparsepoint on an alternative data stream is effective on folder
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
indeed, it's a "Backward compatibility" like detection
still can be abused on win10+ (with admin privs) to persist (without creating a new service) and also elevate IL from high to system if one find a vulnsvc -
ahh- i see
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.