Beyond
This is the beyond page that an additional post enumeration and assessment are conducted as SYSTEM after compromising the target system.
Tasks
PS C:\Windows\system32> Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*" } | ft TaskName,TaskPath,State
TaskName TaskPath State
-------- -------- -----
Amazon Ec2 Launch - Instance Initialization \ Disabled
GoogleUpdateTaskMachineCore{E3C7062B-D718-46C5-9004-08D721468C4B} \ Running
GoogleUpdateTaskMachineUA{A7809410-2DF5-4943-A78D-6D05DD711F96} \ Ready
Python \ Running
Start Jupyter in WSL \ Running
User_Feed_Synchronization-{ED9AC2B8-78FF-44ED-A7BB-A4E4B01E09D7} \ Ready\Python\Start Jupyter in WSL
\Python
PS C:\Windows\system32> schtasks /QUERY /TN \Python /V /FO LIST
Folder: \
HostName: DEV-DATASCI-JUP
TaskName: \Python
Next Run Time: N/A
Status: Running
Logon Mode: Interactive only
Last Run Time: 7/6/2025 11:03:30 AM
Last Result: 267009
Author: DEV-DATASCI-JUP\dev-datasci-lowpriv
Task To Run: cmd.exe /c python.exe
Start In: N/A
Comment: N/A
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management: Stop On Battery Mode, No Start On Batteries
Run As User: dev-datasci-lowpriv
Delete Task If Not Rescheduled: Disabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: At logon time
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/A\Start Jupyter in WSL
PS C:\Windows\system32> schtasks /QUERY /TN "\Start Jupyter in WSL" /V /FO LIST
schtasks /QUERY /TN "\Start Jupyter in WSL" /V /FO LIST
Folder: \
HostName: DEV-DATASCI-JUP
TaskName: \Start Jupyter in WSL
Next Run Time: N/A
Status: Running
Logon Mode: Interactive/Background
Last Run Time: 7/6/2025 11:03:18 AM
Last Result: 267009
Author: DEV-DATASCI-JUP\Administrator
Task To Run: wsl.exe -e sudo /bin/su dev-datasci -c "/home/dev-datasci/anaconda3/bin/jupyter notebook --config=/home/dev-datasci/.jupyter/jupyter_notebook_config.py --no-browser --notebook-dir=/home/dev-datasci/datasci-team/" &
Start In: N/A
Comment: N/A
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management: Stop On Battery Mode, No Start On Batteries
Run As User: Administrator
Delete Task If Not Rescheduled: Disabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: At system start up
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/AServices
PS C:\Windows\system32> wmic service where "State='Running'" get Name,PathName,StartName | Out-String -Stream | Where-Object { $_ -match 'S' -and $_ -notmatch
'C:\Windows\System32' } | Select-Object
wmic service where "State='Running'" get Name,PathName,StartName | Out-String -Stream | Where-Object { $_ -match 'S' -and $_ -notmatch 'C:\Windows\System32' }
| Select-Object
Name PathName StartName
AppXSvc C:\Windows\system32\svchost.exe -k wsappx -p LocalSystem
BFE C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p NT AUTHORITY\LocalService
BITS C:\Windows\System32\svchost.exe -k netsvcs -p LocalSystem
BrokerInfrastructure C:\Windows\system32\svchost.exe -k DcomLaunch -p LocalSystem
camsvc C:\Windows\system32\svchost.exe -k appmodel -p LocalSystem
CDPSvc C:\Windows\system32\svchost.exe -k LocalService -p NT AUTHORITY\LocalService
CertPropSvc C:\Windows\system32\svchost.exe -k netsvcs LocalSystem
ClipSVC C:\Windows\System32\svchost.exe -k wsappx -p LocalSystem
CoreMessagingRegistrar C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p NT AUTHORITY\LocalService
CryptSvc C:\Windows\system32\svchost.exe -k NetworkService -p NT Authority\NetworkService
DcomLaunch C:\Windows\system32\svchost.exe -k DcomLaunch -p LocalSystem
defragsvc C:\Windows\system32\svchost.exe -k defragsvc localSystem
Dhcp C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p NT Authority\LocalService
DiagTrack C:\Windows\System32\svchost.exe -k utcsvc -p LocalSystem
Dnscache C:\Windows\system32\svchost.exe -k NetworkService -p NT AUTHORITY\NetworkService
DoSvc C:\Windows\System32\svchost.exe -k NetworkService -p NT Authority\NetworkService
DPS C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork -p NT AUTHORITY\LocalService
DsmSvc C:\Windows\system32\svchost.exe -k netsvcs -p LocalSystem
DsSvc C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p LocalSystem
EventLog C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p NT AUTHORITY\LocalService
EventSystem C:\Windows\system32\svchost.exe -k LocalService -p NT AUTHORITY\LocalService
FontCache C:\Windows\system32\svchost.exe -k LocalService -p NT AUTHORITY\LocalService
gpsvc C:\Windows\system32\svchost.exe -k netsvcs -p LocalSystem
gupdate "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc LocalSystem
IKEEXT C:\Windows\system32\svchost.exe -k netsvcs -p LocalSystem
iphlpsvc C:\Windows\System32\svchost.exe -k NetSvcs -p LocalSystem
KeyIso C:\Windows\system32\lsass.exe LocalSystem
LanmanServer C:\Windows\System32\svchost.exe -k smbsvcs LocalSystem
LanmanWorkstation C:\Windows\System32\svchost.exe -k NetworkService -p NT AUTHORITY\NetworkService
LicenseManager C:\Windows\System32\svchost.exe -k LocalService -p NT Authority\LocalService
lmhosts C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p NT AUTHORITY\LocalService
LSM C:\Windows\system32\svchost.exe -k DcomLaunch -p LocalSystem
LxssManager C:\Windows\system32\svchost.exe -k netsvcs -p LocalSystem
mpssvc C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p NT Authority\LocalService
MSDTC C:\Windows\System32\msdtc.exe NT AUTHORITY\NetworkService
NcbService C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p LocalSystem
netprofm C:\Windows\System32\svchost.exe -k LocalService -p NT AUTHORITY\LocalService
NlaSvc C:\Windows\System32\svchost.exe -k NetworkService -p NT AUTHORITY\NetworkService
nsi C:\Windows\system32\svchost.exe -k LocalService -p NT Authority\LocalService
PlugPlay C:\Windows\system32\svchost.exe -k DcomLaunch -p LocalSystem
PolicyAgent C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p NT Authority\NetworkService
Power C:\Windows\system32\svchost.exe -k DcomLaunch -p LocalSystem
ProfSvc C:\Windows\system32\svchost.exe -k netsvcs -p LocalSystem
RpcEptMapper C:\Windows\system32\svchost.exe -k RPCSS -p NT AUTHORITY\NetworkService
RpcSs C:\Windows\system32\svchost.exe -k rpcss -p NT AUTHORITY\NetworkService
SamSs C:\Windows\system32\lsass.exe LocalSystem
Schedule C:\Windows\system32\svchost.exe -k netsvcs -p LocalSystem
SENS C:\Windows\system32\svchost.exe -k netsvcs -p LocalSystem
SessionEnv C:\Windows\System32\svchost.exe -k netsvcs -p localSystem
ShellHWDetection C:\Windows\System32\svchost.exe -k netsvcs -p LocalSystem
Spooler C:\Windows\System32\spoolsv.exe LocalSystem
sshd C:\Windows\System32\OpenSSH\sshd.exe LocalSystem
StateRepository C:\Windows\system32\svchost.exe -k appmodel -p LocalSystem
StorSvc C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p LocalSystem
SysMain C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p LocalSystem
SystemEventsBroker C:\Windows\system32\svchost.exe -k DcomLaunch -p LocalSystem
TabletInputService C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p LocalSystem
TermService C:\Windows\System32\svchost.exe -k termsvcs NT Authority\NetworkService
Themes C:\Windows\System32\svchost.exe -k netsvcs -p LocalSystem
TimeBrokerSvc C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p NT AUTHORITY\LocalService
TokenBroker C:\Windows\system32\svchost.exe -k netsvcs -p LocalSystem
TrkWks C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p LocalSystem
TrustedInstaller C:\Windows\servicing\TrustedInstaller.exe localSystem
UALSVC C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p LocalSystem
UmRdpService C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p localSystem
UserManager C:\Windows\system32\svchost.exe -k netsvcs -p LocalSystem
UsoSvc C:\Windows\system32\svchost.exe -k netsvcs -p LocalSystem
vm3dservice C:\Windows\system32\vm3dservice.exe LocalSystem
W32Time C:\Windows\system32\svchost.exe -k LocalService NT AUTHORITY\LocalService
Wcmsvc C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p NT Authority\LocalService
WinHttpAutoProxySvc C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p NT AUTHORITY\LocalService
Winmgmt C:\Windows\system32\svchost.exe -k netsvcs -p localSystem
WinRM C:\Windows\System32\svchost.exe -k NetworkService -p NT AUTHORITY\NetworkService
wlidsvc C:\Windows\system32\svchost.exe -k netsvcs -p LocalSystem
WpnService C:\Windows\system32\svchost.exe -k netsvcs -p LocalSystem
wuauserv C:\Windows\system32\svchost.exe -k netsvcs -p LocalSystem
CDPUserSvc_2ab79 C:\Windows\system32\svchost.exe -k UnistackSvcGroup
WpnUserService_2ab79 C:\Windows\system32\svchost.exe -k UnistackSvcGroupMSI Installation Policy
PS C:\Windows\system32> cmd /c reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer
AlwaysInstallElevated REG_DWORD 0x1
DisableMSI REG_DWORD 0x0
EnableUserControl REG_DWORD 0x1
PS C:\Windows\system32> cmd /c reg query HKU\S-1-5-21-2336295375-1619315875-398172279-1000\SOFTWARE\Policies\Microsoft\Windows\Installer
HKEY_USERS\S-1-5-21-2336295375-1619315875-398172279-1000\SOFTWARE\Policies\Microsoft\Windows\Installer
AlwaysInstallElevated REG_DWORD 0x1
S-1-5-21-2336295375-1619315875-398172279-1000 is the dev-datasci-lowpriv user.
Error
PS C:\tmp> whoami
dev-datasci-jup\dev-datasci-lowpriv
PS C:\tmp> msiexec /quiet /qn /i C:\tmp\malicious.msi
PS C:\tmp> msiexec /i C:\tmp\malicious.msi # Removing /quiet /qn flags
PS C:\tmp> ps | findstr msiexec
209 14 7380 14148 0.08 3808 0 msiexecAs the dev-datasci-lowpriv user, msiexec.exe executes and a process is created but no reverse shell.
PS C:\tmp> whoami
nt authority\system
PS C:\tmp> msiexec /quiet /qn /i C:\tmp\malicious.msi
PS C:\tmp> ps | findstr msiexec
272 15 7688 16952 0.11 1132 0 msiexec
As SYTEM, it works fine.
PS C:\tmp> Get-WinEvent -LogName Application -MaxEvents 100 | Where-Object { $_.ProviderName -eq 'MsiInstaller' } | Format-List TimeCreated, Message
[...REDACTED...]
TimeCreated : 7/6/2025 11:22:11 AM
Message : Beginning a Windows Installer transaction: C:\tmp\malicious.msi. Client Process Id: 2840.
TimeCreated : 7/6/2025 11:18:35 AM
Message : Ending a Windows Installer transaction: C:\tmp\malicious.msi. Client Process Id: 5096.
TimeCreated : 7/6/2025 11:18:35 AM
Message : Windows Installer installed the product. Product Name: Foobar 1.0. Product Version: 1.0.0. Product
Language: 1033. Manufacturer: Acme Ltd.. Installation success or error status: 1603.
TimeCreated : 7/6/2025 11:18:35 AM
Message : Product: Foobar 1.0 -- Installation failed.
TimeCreated : 7/6/2025 11:18:35 AM
Message : Product: Foobar 1.0 -- Error 1720. There is a problem with this Windows Installer package. A script
required for this install to complete could not be run. Contact your support personnel or package
vendor. Custom action FailInstallation script error -2146828275, Microsoft VBScript runtime error: Type
mismatch: 'fail' Line 1, Column 1,Checking the Event Log reveals that something is blocking the dev-datasci-lowpriv user from executing msiexec.exe