Released a new Backup Operator to Domain Admin tool. It contains 4 different methods for escalation, more methods will be added: https://t.co/UytiiAipIO
@0gtweet Thanks, will look into this. I'm not sure the service attack is possible without reboot as the RCreateServiceW call updating the service db cannot be called without local admin, therefore the newly created service is not loaded on the target when only modifying registry.
@0gtweet Endless possibilities for sure, was also trying to identify some registry modification that could trigger execution immediately but that will have to wait for next update. If you know any feel free to DM :)
@vysecurity We mainly operate in CET business hours. Depending on the progress and the scenario we extend the working hours to evenings and weekends. If a freeze is coming up, we typically ask for extending the working hours. Restrictions in working hours is typically customer/WT request
@wdormann I don't think that's possible, since WDAC is controlling what is allowed and everything is default denied. The Deny rules in the policy is used when things overlap, let's say you allow all Windows signed but you want to specifically block some LOLBINS then you will use deny rules