Hijacking Time Providers
Persistence
Execution
Service w32time depends on the DLL specified in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\
.
If an attacker can replace the w32time.dll
with his malicious DLL or modify the DllName value to point to his malicious binary, he can get that malicious code executed.
In this lab, we will just swap out the w32time.dll
with our own. It contains a metasploit reverse shell payload:
Starting the w32time service:
Attacker receiving a reverse shell:
Observations
The shell is running as a child of svchost which is expected as this is where all the services originate from:
Note that the code is running under the context of LOCAL SERVICE
:
This time and time again shows that binaries running off of svchost.exe, especially if they are rundll32 and are making network connections, should be investigated further.
References
Last updated