What they are and how they can be activated with little to no code. The article details several trigger types, methods to list them, and practical implications for security testing and potential abuse.
#ServiceTriggers #NamedPipe #EndpointMapper #ETW #DomainJoin #IPAvailability #FirewallEvent #GroupPolicy #DeviceInterfaceArrival #AggregateTriggers
#ServiceTriggers #NamedPipe #EndpointMapper #ETW #DomainJoin #IPAvailability #FirewallEvent #GroupPolicy #DeviceInterfaceArrival #AggregateTriggers
Keypoints
- Service triggers activate Windows services based on various events or conditions.
- Multiple tools exist to list and query triggers, including sc.exe and Win32 API calls.
- Network and ETW-based triggers can cause low-privilege users to start restricted services.
- Trigger types include Domain Join, IP Address Available, Network Endpoint, and ETW-based events.
- Practical activation methods for triggers range from plugging in devices to issuing gpupdate /force or crafted connections to named pipes and RPC endpoints.
Read More: https://trustedsec.com/blog/theres-more-than-one-way-to-trigger-a-windows-service