When a service binary has a weak permission (e.g. world-writable), an attacker can leverage it by replacing the binary with malicious code. This is a variation of weak service permissions.
To identify and exploit a weak service binary permission vulnerability:
- Check the ACL on the service binary (
Get-Acl C:\path\to\service.exe) - If user has permissions,
uploada Cobalt Strike payload and replace the file usingcopy. Ifcopyresults inERROR_SHARING_VIOLATION, then stop the service (sc stop [service name]) - Connect to the newly created beacon from an existing beacon (e.g.
connect localhost 4444).