BOF - Lateral movement technique by abusing Windows Perception Simulation Service to achieve DLL hijacking
ServiceMove is a POC code for an interesting lateral movement technique by abusing Windows Perception Simulation Service to achieve DLL hijacking code execution.
A non-existing DLL file (i.e., hid.dll) will be loaded everytime when "Windows Perception Simulation Service" was started. By inserting a crafted DLL in "C:\Windows\System32\PerceptionSimulation" and starting the service remotely, we were able to achieve code execution as "NT AUTHORITY\SYSTEM" in a remote system.
The beauty of this technique is that it is relatively sleathy/OPSEC since it doesn't have the typical IOCs like other general lateral movement techniques (e.g., service creation/modification, scheduled task creation). All it will do is just dropping a file to remote system and starting a service remotely.
Windows 10 1809 or above only
Common Line Usage
Version: 1.0 Author: Chris Au Twitter: @netero_1010 Github: @netero1010 ===General use=== Command: bof-servicemove target /root/hid.dll ===Force mode=== Description: restart the service if the service is already running Command: bof-servicemove target /root/hid.dll force ===Cleanup mode=== Description: stop the service if running and delete the DLL payload file Command: bof-servicemove target cleanup
Export Functions for "hid.dll"
Ref to exports_function_hid.txt