# Hyper-V Administrators

> <https://github.com/decoder-it/Hyper-V-admin-EOP/blob/master/hyperv-eop.ps1>[#attacking-a-service](#attacking-a-service "mention")This applies in the context of Windows being virtualized. In that case, being member of Hyper-V Administrators gives a direct pathway to being Administrator on the system.

This blog post details the attack => <https://decoder.cloud/2020/01/20/from-hyper-v-admin-to-system/> with a POC given at the end.

An overview of the attack:

1. **Delete VHDX**: An attacker deletes the target `.vhdx` file.
2. **Create Hard Link**: They then create a hard link from the now-deleted `.vhdx` file to a sensitive SYSTEM file.
3. **Trigger Permission Reset**: When `vmms.exe` attempts to restore the original permissions on the deleted `.vhdx`, it actually follows the hard link and ends up modifying the permissions of the SYSTEM file instead.
4. **Gain Access**: Because this action is performed under the elevated `NT AUTHORITY\SYSTEM`, the SYSTEM file's permissions get modified, and the attacker gains unauthorized access to it.

As we see step 3, `vmms.exe` restores the original permissions of the `.vhdx` to a system file. For this to work our user must have had permissions on the `.vhdx` in order for them to be restored.

### Attacking a service:

We use the poc => <https://github.com/decoder-it/Hyper-V-admin-EOP/blob/master/hyperv-eop.ps1> and modify the $targetfile to a service.

We take ownership of the service:

```
takeown /F C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
```

Then we can replace the service executable by a malicious one and start the service:

```
sc.exe start MozillaMaintenance
```

{% hint style="info" %}
Note: This vector has been mitigated by the March 2020 Windows security updates, which changed behavior relating to hard links.
{% endhint %}