Authenticated Remote Code Execution Methods in Windows


All of the below are supported ways of remotely executing code that are built-in to Windows. If psexec isn't working since a service is not running or ports are blocked, you can try all these other options; defenders who want to detect intruders moving through the network need to detect all of these; incident responders might want to look for evidence of these, etc.

1. Service Control Manager (SCM)
This method is used by psexec and all of its clones to start the executable that psexec creates.
Result:
A command to be run on demand and/or boot as SYSTEM (or less privileged accounts, but why would you do that?).
Example:
step 1/2; a new service can be created:
sc REMOTECOMPUTERNAME create myservicename binPath= executableToRun start= auto
alternatively, an existing service can be reconfigured:
sc REMOTECOMPUTERNAME config existingservice binPath= executableToRun start= auto
step 2/2; executableToRun will run on the remote system on boot as SYSTEM, or when instructed by:
sc REMOTECOMPUTERNAME start myservicename
variants exist for specifying DLL to load instead of executable, etc.
Implementation details:
Recent versions of Windows will connect to the RPC portmapper on port 135 then to an RPC server on an ephemeral port (such as 49154 or 49159 etc.). If that fails, or the attacking system has been specially configured, it will fall back to the second method, writing to the svcctl named pipe (a.k.a. srvsvc) on remote computer over SMB. (TCP port 139 or 445 owned by kernel, forwarded to srvsvc pipe)
srvsvc pipe hosted by Server service in svchost.exe running as SYSTEM.

2. Task scheduler
Result:
A command to be run at designated time(s) as SYSTEM.
Example:
AT \\REMOTECOMPUTERNAME 12:34 "command to run"
Implementation details:
In the old days, you would writing to atsvc named pipe on remote computer over SMB. (TCP port 139 or 445 owned by kernel, forwarded to atsvc pipe)
atsvc pipe hosted by Task Scheduler (Schedule) service in svchost.exe running as SYSTEM. Recent versions of Windows will connect to the RPC portmapper on port 135 then to an RPC server on an ephemeral port (such as 49154 or 49159 etc.).

3. WMI
Result:
An immediate command execution under the administrative account used.
Example:
WMIC /node:REMOTECOMPUTERNAME PROCESS call create "command to run"
Implementation details:
Connecting to remote procedure call portmapper interface (RpcSs service in svchost.exe directly listening on TCP port 135) then to an RPC server on an ephemeral port (such as 49154 or 49159 etc.).

4. Remote Registry
Result:
A command to be run or DLL to be loaded when specific events occur, such as boot or login or process execution, as active user or SYSTEM.
Example:
REG ADD \\REMOTECOMPUTERNAME\HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v myentry /t REG_SZ /d "command to run"
Command will run every time a user logs in as the user. Other options include creating or modifying services which can run as SYSTEM on the next reboot, loading a DLL into most new processes with the AppInit_DLLs registry value, using IFEO to hijack different commands, and many more.
Implementation Details:
Writing to the winreg named pipe on remote computer over SMB. (TCP port 139 or 445 owned by kernel, forwarded to winreg pipe)
The winreg pipe is hosted by Remote Registry service in svchost.exe

5. Remote File Access
Result:
An executable will be run or DLL will be loaded when specific events occur, such as boot or login or process execution, as active user or SYSTEM.
Example:
xcopy executabletorun.exe "\\REMOTECOMPUTERNAME\C$\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\e.exe"
Command will run every time a user logs in as the user. Other options include DLL hijacks or writing an MOF to the %WINDOWS%\system32\wbem\mof that will be executed automatically by WMI in older OS's.
Implementation Details:
Writing to remote administrative shares using SMB. (TCP port 139 or 445 owned by kernel)

6. Remote Desktop
Best known for interactive GUI logins, the remote desktop protocol also allows for direct command execution.
Result:
Interactive desktop access and/or command execution with the privileges of the user account used.
Example:
rdesktop 1.2.3.4
Opens an interactive remote desktop session.
Implementation Details:
Hosted by the TermService service ("Remote Desktop Services") in svchost.exe by a server socket listening on TCP port 3389.

7. Windows Remote Management
Note: this is not enabled by default! But it is common enough, and the capability is built-in to recent Windows versions. Often used through powershell.
Result:
Immediate command execution under the administrative account used.
Example:
winrs -r:REMOTECOMPUTERNAME command to run
Implementation Details:
Hosted by Windows Remote Management service (svchost.exe), listens on TCP/80 or TCP/5985 and can share port with IIS.

8. MMC20.Application DCOM
Matt Nelson documented this method of using DCOM over RPC to instantiate a "MMC20.Application" COM object and then calling the ExecuteShellCommand method.
Result:
Immediate command execution under the administrative account used.
Example:
[activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application", "REMOTECOMPUTERNAME")).Document.ActiveView.ExecuteShellCommand("c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe", $null, "parameters here", "7")';
Implementation Details:
Connecting to remote procedure call portmapper interface (RpcSs service in svchost.exe directly listening on TCP port 135) then to an RPC server on an ephemeral port (such as 49154 or 49159 etc.).

Honorable mentions:
VNC, SCCM, SSH, and a lot of third party software. Any of your favorites I am missing? Let me know.

, , , ,

  1. #1 by mihi on February 22, 2013 - 5:19 pm

    Maybe a bit older, but DCOM can also be used for remote code execution if suitable DCOM services are installed. For example, Visual Studio 6 (don’t think it is included in more recent versions) tends to install Machine Debug Manager DCOM service which can be used to remotely debug processes running under the interactive session by any Administrators or Debugger Users group member. And if you debug them, you can also WriteProcessMemory or CreateRemoteThread.

    And Windows also includes (or included) a Telnet daemon, disabled by default, which can obviously be used to execute remote commands.

(will not be published)