Executable Files

Overview

Sometimes there will be services that have executables attached to them. If we have the permissions to manipulate it (FILE_ALL_ACCESS) then we can replace it with a malicious executable and get it to do what we want as system.

Escalation via Service Executables

Run PowerUp and check for ModifileableFileIdentityReference within Service executables.

Manually check the permissions on the service using accesschk64

accesschk64.exe -wvu "C:\Program Files\File Permissions Service"

Compile, upload the malicious exe, replacing the old executable and start the service

svc start filepermsvc

PreviousUser Switching NextStartup Applications