Unsecure Path security

accesschk.exe -accepteula -wvs "Authenticate Users" C:\*.* > C:\fld-usr.txt
accesschk.exe -accepteula -wvs "Users" C:\*.* > C:\fld-usr.txt

Check for applications that are in path; that we can edit/ RW - maybe backdoor the application so when executed will execute implant also :)

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment"

and look for path variables. Look for files that appear attractive then check you can write to them:

icacls PATH

if you can write, put your implant in the path as a program

can run gui version and perform both autorunsc64.exe check as they are highlighted in yellow on the tool.

check for misconfigured/missing service binaries:

autorunsc64.exe -a s | more

look for file not found, then also check for the service using, and that you can write to the path:

sc query SERVICE
icacls SERVICE_EXE_PATH

check for misconfigured/missing tasks:

autorunsc64.exe -a t | more

look for file not found, then also check for the service using, and that you can write to the path:

schtasks /query /tn TASK /xml
icacls SERVICE_EXE_PA

check for integrity level / user SID and trigger. Sid translate:

wmic useraccount where sid='SIDMNUMER' get name

Last updated 2 years ago