+------+------------------------------------------------+------+ | TEST | SERVICES > Registry Permissions | VULN | +------+------------------------------------------------+------+ | DESC | Parse the registry and check whether the current user | | | can modify the configuration of any registered | | | service. | +------+-------------------------------------------------------+ [*] Found 5 result(s).
Name : Dnscache ImagePath : C:\Windows\system32\svchost.exe -k NetworkService User : NT AUTHORITY\NetworkService ModifiablePath : HKLM\SYSTEM\CurrentControlSet\Services\Dnscache IdentityReference : NT AUTHORITY\INTERACTIVE Permissions : EnumerateSubKeys, ReadControl, CreateSubKey, QueryValue Status : Running UserCanStart : True UserCanStop : False
Name : Dnscache ImagePath : C:\Windows\system32\svchost.exe -k NetworkService User : NT AUTHORITY\NetworkService ModifiablePath : HKLM\SYSTEM\CurrentControlSet\Services\Dnscache IdentityReference : BUILTIN\Users Permissions : Notify, EnumerateSubKeys, ReadControl, CreateSubKey, QueryValue, GenericRead Status : Running UserCanStart : True UserCanStop : False
Name : Dnscache ImagePath : C:\Windows\system32\svchost.exe -k NetworkService User : NT AUTHORITY\NetworkService ModifiablePath : HKLM\SYSTEM\CurrentControlSet\Services\Dnscache IdentityReference : BUILTIN\Users Permissions : Notify, EnumerateSubKeys, ReadControl, CreateSubKey, QueryValue Status : Running UserCanStart : True UserCanStop : False
Name : RpcEptMapper ImagePath : C:\Windows\system32\svchost.exe -k RPCSS User : NT AUTHORITY\NetworkService ModifiablePath : HKLM\SYSTEM\CurrentControlSet\Services\RpcEptMapper IdentityReference : NT AUTHORITY\Authenticated Users Permissions : ReadControl, CreateSubKey, QueryValue Status : Running UserCanStart : True UserCanStop : False
Name : RpcEptMapper ImagePath : C:\Windows\system32\svchost.exe -k RPCSS User : NT AUTHORITY\NetworkService ModifiablePath : HKLM\SYSTEM\CurrentControlSet\Services\RpcEptMapper IdentityReference : BUILTIN\Users Permissions : Notify, CreateSubKey, QueryValue Status : Running UserCanStart : True UserCanStop : False
// Get the command line of the current process pwszCommandLine = GetCommandLine();
// Get the name of the process owner GetUserName(wszUsername, &dwPcbBuffer);
// Get the PID of the current process dwProcessId = GetCurrentProcessId();
// Get the PID of the parent process hToolhelpSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); stProcessEntry.dwSize = sizeof(PROCESSENTRY32); if (Process32First(hToolhelpSnapshot, &stProcessEntry)) { do { if (stProcessEntry.th32ProcessID == dwProcessId) { dwParentProcessId = stProcessEntry.th32ParentProcessID; break; } } while (Process32Next(hToolhelpSnapshot, &stProcessEntry)); } CloseHandle(hToolhelpSnapshot);
// Get the current date and time GetLocalTime(&st);
// Prepare the output string and log the result dwBufSize = 4096 * sizeof(WCHAR); pwszBuffer = (LPWSTR)malloc(dwBufSize); if (pwszBuffer) { StringCchPrintf(pwszBuffer, dwBufSize, L"[%.2u:%.2u:%.2u] - PID=%d - PPID=%d - USER='%s' - CMD='%s' - METHOD='%s'\r\n", st.wHour, st.wMinute, st.wSecond, dwProcessId, dwParentProcessId, wszUsername, pwszCommandLine, pwszCallingFrom ); CreateDirectoryA("C:\\LOGS",NULL); LogToFile(L"C:\\LOGS\\RpcEptMapperPoc.log", pwszBuffer);