Windows Privilege Escalation – Unquoted Services

Windows Privilege Escalation – Unquoted Services C:\Users\a>wmic service get name,pathname,startmode |findstr /i /v “C:\Windows\” |findstr /i /v “”” Name PathName StartMode ASLDRService C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\AsLdrSrv.exe Auto ATKGFNEXSrv C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe Auto LSM Unknown NetSetupSvc Unknown RX =

WinPmen

1. winpmem-21.post4.exe -o -output.aff4 2. winpmem-2.1.post4.exe output.aff4 –export PhysicalMemory -o memory.img 2.1 rekal -f memory.img hives 3. Rekal -f \\.\pmem 4. pslist   1. Output: Reading 0x3f7338000 16243MiB / 16255MiB 52MiB/s Adding C:\Windows\SysNative\drivers\1394ohci.sys as file:///C:/Windows/SysNative/drivers/1394ohci.sys Adding C:\Windows\SysNative\drivers\3ware.sys as file:///C:/Windows/SysNative/drivers/3ware.sys Adding

Registry Viewer RST Files

AOL Instant Messenger (TM).rsr AOL Instant Messenger.rsr Favorites.rvc Internet Explorer.rsr NTUser – Files set to Run on Startup.rsr NTUser – Internet Account Manager.rsr NTUser – Internet Explorer.rsr NTUser – LastVisited and OpenSave MRU.rsr NTUser – Media Player MRUs.rsr NTUser –

SIFT Clean Install

Instruction on Installing SIFT3 -Download Ubuntu 14.04 Desktop ubuntu-14.04.5-desktop-amd64.iso http://releases.ubuntu.com/14.04/SHA256SUMS -Check SHA256 f5ce20686a2f3201f04a309d04171ee15757f00954b33b87f3f1d36b3b0f5356 *ubuntu-14.04.5-desktop-amd64.iso PS C:\download> certutil.exe -hashfile .\ubuntu-14.04.5-desktop-amd64.iso sha256 SHA256 hash of file .\ubuntu-14.04.5-desktop-amd64.iso: f5ce20686a2f3201f04a309d04171ee15757f00954b33b87f3f1d36b3b0f5356 -Install in Oracle VM Virtualbox -sudo apt-get update -wget –quiet -O – https://raw.github.com/sans-dfir/sift-bootstrap/master/bootstrap.sh |