Find-ProcessDLLHijack - Empire Module

This page contains detailed information about how to use the powershell/privesc/powerup/find_dllhijack Empire module. For list of all Empire modules, visit the Empire Module Library.

Module Overview

---

Name: Find-ProcessDLLHijack
Module: powershell/privesc/powerup/find_dllhijack
Source code [1]: empire/server/modules/powershell/privesc/powerup/find_dllhijack.yaml
Source code [2]: empire/server/data/module_source/privesc/PowerUp.ps1
MITRE ATT&CK: T1087, T1038, T1031, T1034, T1057, T1012, S0194
Language: PowerShell
Needs admin: No
OPSEC safe: Yes
Background: Yes

The find_dllhijack module finds generic .DLL hijacking opportunities.

This module runs in a foreground and is OPSEC unsafe as it writes on the disk and therefore could be detected by AV/EDR running on the target system.

Note that the find_dllhijack module does not need administrative privileges to work properly which means that a normal user can run this module.

Required Module Options

---

This is a list of options that are required by the find_dllhijack module:

Agent
Agent to run module on.

Additional Module Options

---

This is a list of additional options that are supported by the find_dllhijack module:

ExcludeOwned
Switch. Exclude processes the current user owns.

ExcludeProgramFiles
Switch. Exclude paths from C:\Program Files\* and C:\Program Files (x86)\*.

ExcludeWindows
Switch. Exclude paths from C:\Windows\* instead of just C:\Windows\System32\*.

OutputFunction
PowerShell's output function to use ("Out-String", "ConvertTo-Json", "ConvertTo-Csv", "ConvertTo-Html", "ConvertTo-Xml").
Default value: Out-String.
Suggested values: Out-String, ConvertTo-Json, ConvertTo-Csv, ConvertTo-Html, ConvertTo-Xml.

Find_dllhijack Example Usage

---

Here's an example of how to use the find_dllhijack module in the Empire client console:

[+] New agent Y4LHEV83 checked in
[*] Sending agent (stage 2) to Y4LHEV83 at 192.168.204.135
(empire usestager/windows/ducky) > usemodule powershell/privesc/powerup/find_dllhijack

 Author       @harmj0y                                                           
 Background   True                                                               
 Comments     https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp 
 Description  Finds generic .DLL hijacking opportunities.                        
 Language     powershell                                                         
 Name         powershell/privesc/powerup/find_dllhijack                          
 NeedsAdmin   False                                                              
 OpsecSafe    True                                                               
 Software     http://attack.mitre.org/software/S0194                             
 Techniques   http://attack.mitre.org/techniques/T1087                           
              http://attack.mitre.org/techniques/T1038                           
              http://attack.mitre.org/techniques/T1031                           
              http://attack.mitre.org/techniques/T1034                           
              http://attack.mitre.org/techniques/T1057                           
              http://attack.mitre.org/techniques/T1012                           


,Record Options-------,------------,----------,-------------------------------------,
| Name                | Value      | Required | Description                         |
|---------------------|------------|----------|-------------------------------------|
| Agent               |            | True     | Agent to run module on.             |
|---------------------|------------|----------|-------------------------------------|
| ExcludeOwned        |            | False    | Switch. Exclude processes the       |
|                     |            |          | current user owns.                  |
|---------------------|------------|----------|-------------------------------------|
| ExcludeProgramFiles |            | False    | Switch. Exclude paths from          |
|                     |            |          | C:\Program Files\* and C:\Program   |
|                     |            |          | Files (x86)\*                       |
|---------------------|------------|----------|-------------------------------------|
| ExcludeWindows      |            | False    | Switch. Exclude paths from          |
|                     |            |          | C:\Windows\* instead of just        |
|                     |            |          | C:\Windows\System32\*               |
|---------------------|------------|----------|-------------------------------------|
| OutputFunction      | Out-String | False    | PowerShell's output function to use |
|                     |            |          | ("Out-String", "ConvertTo-Json",    |
|                     |            |          | "ConvertTo-Csv", "ConvertTo-Html",  |
|                     |            |          | "ConvertTo-Xml").                   |
'---------------------'------------'----------'-------------------------------------'

(Empire: usemodule/powershell/privesc/powerup/find_dllhijack) > set Agent Y4LHEV83
[*] Set Agent to Y4LHEV83
(Empire: usemodule/powershell/privesc/powerup/find_dllhijack) > execute
[*] Tasked Y4LHEV83 to run Task 1
...

Now wait for the results to come.

Author

---

• @harmj0y

References

---

• https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/powershell/privesc/powerup/find_dllhijack.yaml
• https://github.com/BC-SECURITY/Empire/tree/master/empire/server/data/module_source/privesc/PowerUp.ps1
• https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp
• http://attack.mitre.org/software/S0194
• http://attack.mitre.org/techniques/T1087
• http://attack.mitre.org/techniques/T1038
• http://attack.mitre.org/techniques/T1031
• http://attack.mitre.org/techniques/T1034
• http://attack.mitre.org/techniques/T1057
• http://attack.mitre.org/techniques/T1012
• https://raw.githubusercontent.com/mattifestation/PSReflect/master/PSReflect.psm1
• http://poshcode.org/2189
• http://stackoverflow.com/questions/28029872/retrieving-security-descriptor-and-getting-number-for-filesystemrights
• https://msdn.microsoft.com/en-us/library/windows/desktop/aa446671(v=vs.85).aspx
• https://msdn.microsoft.com/en-us/library/windows/desktop/aa379624(v=vs.85).aspx
• https://msdn.microsoft.com/en-us/library/windows/desktop/aa379554(v=vs.85).aspx
• https://rohnspowershellblog.wordpress.com/2013/03/19/viewing-service-acls/
• https://msdn.microsoft.com/en-us/library/windows/desktop/ms681987(v=vs.85).aspx
• https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/trusted_service_path.rb
• https://www.mandiant.com/blog/malware-persistence-windows-registry/
• http://blogs.msdn.com/b/larryosterman/archive/2004/07/19/187752.aspx
• http://www.greyhathacker.net/?p=738
• https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/windows_autologin.rb
• http://www.fuzzysecurity.com/tutorials/16.html
• https://github.com/darkoperator/Posh-SecMod/blob/master/PostExploitation/PostExploitation.psm1
• http://www.netspi.com
• https://raw2.github.com/NetSPI/cmdsql/master/cmdsql.aspx
• http://www.iis.net/learn/get-started/getting-started-with-iis/getting-started-with-appcmdexe
• http://msdn.microsoft.com/en-us/library/k6h9cz8h(v=vs.80).aspx
• https://github.com/funoverip/mcafee-sitelist-pwd-decryption/
• https://funoverip.net/2016/02/mcafee-sitelist-xml-password-decryption/
• https://github.com/tfairane/HackStory/blob/master/McAfeePrivesc.md
• https://www.syss.de/fileadmin/dokumente/Publikationen/2011/SySS_2011_Deeg_Privilege_Escalation_via_Antivirus_Software.pdf
• http://www.obscuresecurity.blogspot.com/2012/05/gpp-password-retrieval-with-powershell.html
• https://github.com/mattifestation/PowerSploit/blob/master/Recon/Get-GPPPassword.ps1
• https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/gpp.rb
• http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferences
• http://rewtdance.blogspot.com/2012/06/exploiting-windows-2008-group-policy.html

See Also

---

Check also the following modules related to this module:

• powershell/privesc/powerup/service_exe_useradd
• powershell/privesc/powerup/write_dllhijacker
• powershell/privesc/powerup/service_stager
• powershell/privesc/powerup/service_exe_restore
• powershell/privesc/powerup/service_exe_stager
• powershell/privesc/powerup/service_useradd
• powershell/privesc/powerup/allchecks
• python/situational_awareness/network/find_fruit
• powershell/recon/find_fruit
• powershell/situational_awareness/network/powerview/find_foreign_user
• powershell/situational_awareness/network/powerview/find_gpo_computer_admin
• powershell/situational_awareness/network/powerview/find_localadmin_access
• powershell/situational_awareness/network/powerview/find_foreign_group
• powershell/situational_awareness/network/powerview/find_gpo_location
• powershell/situational_awareness/network/powerview/find_managed_security_group
• powershell/collection/find_interesting_file
• powershell/collection/vaults/find_keepass_config
• powershell/situational_awareness/network/powerview/share_finder
• powershell/situational_awareness/host/findtrusteddocuments
• powershell/collection/file_finder

Version

---

This page has been created based on Empire version 4.1.3 (BC Security Fork).
Visit Empire Module Library for more modules.