Shulou(Shulou.com)06/03 Report--

This article mainly introduces "how to use hidden services in Windows permission maintenance skills". In daily operations, I believe many people have doubts about how to use hidden services in Windows rights maintenance skills. Xiaobian consulted all kinds of materials and sorted out simple and easy-to-use methods of operation. I hope it will be helpful to answer the doubts about how to use hidden services in Windows rights maintenance skills. Next, please follow the editor to study!

0x01 Registration Service

Registering the backdoor as a windows self-starting service is a common backdoor maintenance method. You can register your backdoor program as a self-starting service using either the command sc or the powershell command.

Use the sc command to register the backdoor as a self-starting service and run as LocalSystem:

Manually start the service or restart the computer, and execute through the back door. Although the manual execution indicates that the startup failed, the backdoor has actually been executed successfully:

Msf successfully established a new session with the view permission of system

Although the service self-startup has been successfully implemented, this permission maintenance method is easy to detect. Because the service can be retrieved after creating a new service, if the defender sees a service with an unfamiliar name, it will suspect that it is a malicious service. You can view information about the service through the sc command or the get-service command.

Use sc to view the service information status of the specified name:

Or use the sc command to view the configuration information of the service, and keep the backdoor file directly:

You can also view service information using get-service in powershell

0x02 hidden service

In order not to be discovered by the defender for permission maintenance, consider hiding the service. Joshua Wright provides a way to modify the security descriptor of a service through SDDL (Security descriptor language). The article is attached to the references at the end of the article. Services in Windows systems, like files, use security descriptors (SD) to configure which permissions are allowed by the security object for which access objects.

The method provided by Joshua Wright uses the sdset module of the sc command to modify the security descriptor of the service, as follows:

Sc.exe sdset test "D: (Dmitrites DCLCWPDTSD) (DCLCWPDTSD)) (DCLCWPDTSD) (DCLCWPDTSD) () (sc.exe sdset test" D) (DCLCWLOCRRCSD) () (): (CCLCSWLOCRRC)

Use the get-service command again to view the service information. The service does not exist.

Access denied by using sc.exe to view service information

Use sc.exe to query all service information and filter the service named "test". The result is empty.

0x03 principle SDDL

Windows services support the ability to control service permissions using the Security descriptor definition language (Security Descriptor Definition Language | SDDL). By modifying the SDDL, you can modify the DACL (discretionary access control list) of the object (file or service), thus modifying the user's access control to the object. By editing the SDDL of the service, all users are denied access to the service, that is, the hidden effect of the service is realized.

SDDL syntax:

Symbol description O:-OwnerG:-Primary GroupD:-Discretionary ACL (DACL) S:-System ACL (SACL) ACE type description A:-Access AllowedD:-Access DeniedOA:-Object Access AllowedOD:-Object Access DeniedAU:-System AuidtAL:-System AlarmOU:-System Object AuditOL:-System Object AlarmML:-System MAndatory Label service configuration query LC:-service status Query SW:-SERVICE_ENUMERATE_DEPENDENTSRP:-Service start WP:-Service stop DT:-Service pause DC:-Service configuration change SD:-Delete inheritance flag bit OI:- indicates that the ACE can be inherited by a child object CI:- indicates that the ACE can be inherited by a child container IO:- only acts on a child object NP:- is inherited only by a direct child container Do not continue to inherit the object "IU":-interactive login user "AU":-authenticated user "SU":-service login user format (allow / deny Inheritance; permission list;; object)

Use the powershell command to view the SSDL of the folder:

Get-acl [c:\ windows] | fl

Then analyze the previous command to hide the service, and the SDDL mainly used by the hidden service is:

D: (Dmitry DCLCWPDTSD) / / Service configuration, query, status query, pause and delete permissions for users who refuse to log in interactively (DCLCWPDTSD) / / Service configuration, query, status query, pause and delete permissions for users who refuse to log in (DCLCWPDTSD BA) / / deny authentication user's service configuration, query, status query, suspend and delete permission group policy to achieve service hiding

After understanding the principle, it is found that the actual operation of hiding the service is actually to modify the permissions of the service, so that the service refuses all users' queries and other permissions.

You can also modify the permissions of the service in [Group Policy Management Editor-> computer configuration-> Policy-> Windows configuration-> Security Settings-> system Services].

Revoke all users' read rights to the service DHCP Client service through the Group Policy Editor

Use get-service to view the DHCP Client to view the service and find that the service does not exist

0x04 defense

After being hidden by the method in this article, none of the following methods can query the information of the service.

PS C:\ WINDOWS\ system32 > Get-Service | Select-Object Name | Select-String-Pattern 'test'PS C:\ WINDOWS\ system32 > Get-WmiObject Win32_Service | Select-String-Pattern' test'PS C:\ WINDOWS\ system32 > sc.exe query | Select-String-Pattern 'test'

If you know the name of the service in advance and have permission to stop the service, using Get-Service to stop the service will prompt you that it cannot be opened.

If the service does not exist, it will be prompted when the service is stopped

Or use sc to query service information, which will prompt you that you do not have permission.

However, using sc to query the service configuration information can be found, because there is no permission to deny the user's service configuration query.

The above method also denies the stop permission, so it cannot be stopped, but it still prompts for information related to the service.

Therefore, in order to better hide the service information, you can change the SDDL of the above method and add the query service configuration information rejection item (CC):

Sc.exe sdset test "D: (Dmitrites DCLCWPDTSDCC political IU) (DCLCWPDTSDCCpolitical Su) (DCLCWPDTSDCCSepterBA) (AmitableCCLCSWLOCRRCpolitical political IU) (AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)" 0x05 restore

By deleting the SDDL statement related to rejection, the service can be queried normally.

& $env:SystemRoot\ System32\ sc.exe sdset auto_calc "D: (AmitableCCLCSWRPWPDTLOCRRCpolitics sy) (AmitableCCDCLCSWRPWPDTLOCRCRSDRWDWOpolitic BA) (abiding CCLCSWLOCRRRCpolitismIU) (abiding CCLCSWLOCRRRCpolitics Su): (AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

At this point, the study on "Windows permission maintenance skills how to use hidden services" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.