TSMSISrv_poc
April 18, 2019 ยท View on GitHub
Description
The SessionEnv service, which is installed by default on Windows, contains a DLL hijack. When a user with administrative privilege can restart this service they could utilize it for lateral movement.
This C# POC code leverages the called functions of the TSMSISrv.dll by putting malicious logic within StartComponent.
Build Process
Ensure you have UnmanagedExports installed and are building for your target architecture. Then, you can simply build the release version of the project.
Execution Instructions
sc.exe \\COMPUTER stop SessionEnvcopy TSMSISrv.dll to C:\Windows\System32\TSMSISrv.dllsc.exe \\COMPUTER start SessionEnv
Execution should have occurred adding a new user "demo".
Blog Details
https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992