6 - Windows Services

Topics

Introduction to the Windows Shells
Windows Permissions
Reverse Shells in Windows
SeImpersonatePrivilege Exploitation
On Cross Compilation
Windows Services
Weak Service Permissions
Unquoted Service Path
DLL Hijacking
Always Install Elevated
Files with Sensitive Data
Windows Hashes
Stored Credentials and the Windows Vault
Scheduled Task
Critical Registry Paths
Useful Tools
AMSI Bypass

Windows Services

Key Features of Windows Services

Run independently of the logged-in user.
Managed via the Services Control Manager (SCM) panel.
Operate in various contexts:
- Local Services
- Network Services
- System Services
- Third-Party Application Services

Security and Attack Surface

Windows Services present a substantial attack surface. Improper configurations or vulnerabilities in services can be exploited to gain elevated privileges or execute malicious code.

Managing Services

Below are useful commands to manage Windows Services effectively:

Listing and Viewing Services

List All Services:
```
Get-Service
```

Display Specific Properties:

Get-Service | Select-Object DisplayName, Status, ServiceName, Can*

Get Binary Paths for Running Services:

Get-CimInstance -ClassName win32_service | Select Name, State, PathName | Where-Object {$_.State -like 'Running'}

Service Operations

Start a Service:
```
sc.exe start <SERVICE>
```
Stop a Service:
```
sc.exe stop <SERVICE>
```
Check Service Configuration:
```
sc.exe qc <SERVICE>
```

Modifying Services

Change the Binary Path of a Service:

sc.exe config <SERVICE> binPath="C:\Path\to\malicious.exe"

Check Service Permissions:
```
sc.exe sdshow <SERVICE>
```
Update Service Permissions:
```
sc.exe sdset <SERVICE> <SDDL>
```

Advanced Operations

Convert SDDL to Readable Format:
```
ConvertFrom-SddlString -Sddl <SDDL>
```

Get Executable Path for All Processes:

wmic process list full | Select-String 'executablepath=C:' | Select-String -NotMatch 'system32|syswow'

Adding a New Service

To add a new service, you must provide an executable file (.exe) that implements the Windows Service API.

Creating a Service Using sc.exe

Create the Service:

sc.exe create <SERVICE-NAME> binPath="<PATH-TO-EXECUTABLE>"

Verify the Configuration:
```
sc.exe qc <SERVICE-NAME>
```
Start the Service:
```
sc.exe start <SERVICE-NAME>
```
Stop the Service:
```
sc.exe stop <SERVICE-NAME>
```
Delete the Service:
```
sc.exe delete <SERVICE-NAME>
```

Compiling a Custom Service

To create a custom Windows Service, write the code in a language like C and compile it using mingw-w64.

Example Compilation Command:

x86_64-w64-mingw32-gcc -mwindows -municode -O2 -s -o simpleService.exe simpleService.c

Once compiled, follow the steps above to register, start, and manage the service.

Using NSSM (Non-Sucking Service Manager)

For simplicity, you can use NSSM to run any arbitrary .bat or .exe file as a service.

Install the Service:
```
nssm.exe install <SERVICE-NAME>
```

Other Resources

Disclaimer

❗ Never use tools and techniques on real IP addresses, hosts or networks without proper authorization!❗

Previous5 - On Cross Compilation Next7 - Weak Service Permissions

Last updated 5 months ago

6 - Windows Services

Topics

Introduction to the Windows Shells
Windows Permissions
Reverse Shells in Windows
SeImpersonatePrivilege Exploitation
On Cross Compilation
Windows Services
Weak Service Permissions
Unquoted Service Path
DLL Hijacking
Always Install Elevated
Files with Sensitive Data
Windows Hashes
Stored Credentials and the Windows Vault
Scheduled Task
Critical Registry Paths
Useful Tools
AMSI Bypass

Windows Services

are specialized processes designed to operate in the background without user interaction (can be comparable to 'deamon' in linux systems). These services often start automatically when the system boots and continue running even after a user logs off.

Key Features of Windows Services

Run independently of the logged-in user.
Managed via the Services Control Manager (SCM) panel.
Operate in various contexts:
- Local Services
- Network Services
- System Services
- Third-Party Application Services

Security and Attack Surface

Windows Services present a substantial attack surface. Improper configurations or vulnerabilities in services can be exploited to gain elevated privileges or execute malicious code.

Managing Services

Below are useful commands to manage Windows Services effectively:

Listing and Viewing Services

List All Services:
```
Get-Service
```

Display Specific Properties:

Get-Service | Select-Object DisplayName, Status, ServiceName, Can*

Get Binary Paths for Running Services:

Get-CimInstance -ClassName win32_service | Select Name, State, PathName | Where-Object {$_.State -like 'Running'}

Service Operations

Start a Service:
```
sc.exe start <SERVICE>
```
Stop a Service:
```
sc.exe stop <SERVICE>
```
Check Service Configuration:
```
sc.exe qc <SERVICE>
```

Modifying Services

Change the Binary Path of a Service:

sc.exe config <SERVICE> binPath="C:\Path\to\malicious.exe"

Check Service Permissions:
```
sc.exe sdshow <SERVICE>
```
Update Service Permissions:
```
sc.exe sdset <SERVICE> <SDDL>
```

Advanced Operations

Convert SDDL to Readable Format:
```
ConvertFrom-SddlString -Sddl <SDDL>
```

Get Executable Path for All Processes:

wmic process list full | Select-String 'executablepath=C:' | Select-String -NotMatch 'system32|syswow'

Adding a New Service

To add a new service, you must provide an executable file (.exe) that implements the Windows Service API.

Creating a Service Using sc.exe

Create the Service:

sc.exe create <SERVICE-NAME> binPath="<PATH-TO-EXECUTABLE>"

Verify the Configuration:
```
sc.exe qc <SERVICE-NAME>
```
Start the Service:
```
sc.exe start <SERVICE-NAME>
```
Stop the Service:
```
sc.exe stop <SERVICE-NAME>
```
Delete the Service:
```
sc.exe delete <SERVICE-NAME>
```

Compiling a Custom Service

To create a custom Windows Service, write the code in a language like C and compile it using mingw-w64.

Example Compilation Command:

x86_64-w64-mingw32-gcc -mwindows -municode -O2 -s -o simpleService.exe simpleService.c

Once compiled, follow the steps above to register, start, and manage the service.

Using NSSM (Non-Sucking Service Manager)

For simplicity, you can use NSSM to run any arbitrary .bat or .exe file as a service.

Download NSSM: From .
Install the Service:
```
nssm.exe install <SERVICE-NAME>
```

Other Resources

Windows local privilege escalation:
ConvertFrom-SddlString:
Security Descriptor Definition Language (SDDL):
Create Windows service from executable:
The Non-Sucking Service Manager:
Very basic Windows Service template in C:
Cygwin and MinGW Options:
Working with SDDL:

Disclaimer

❗ Never use tools and techniques on real IP addresses, hosts or networks without proper authorization!❗

Previous5 - On Cross Compilation Next7 - Weak Service Permissions

Last updated 5 months ago