When a service binary has a weak permission (e.g. world-writable), an attacker can leverage it by replacing the binary with malicious code. This is a variation of weak service permissions.
To identify and exploit a weak service binary permission vulnerability:
- Check the ACL on the service binary (
Get-Acl C:\path\to\service.exe
) - If user has permissions,
upload
a Cobalt Strike payload and replace the file usingcopy
. Ifcopy
results inERROR_SHARING_VIOLATION
, then stop the service (sc stop [service name]
) - Connect to the newly created beacon from an existing beacon (e.g.
connect localhost 4444
).