6 - Windows Services
Topics
Introduction to the Windows Shells
Windows Permissions
Reverse Shells in Windows
SeImpersonatePrivilege Exploitation
On Cross Compilation
Windows Services
Weak Service Permissions
Unquoted Service Path
DLL Hijacking
Always Install Elevated
Files with Sensitive Data
Windows Hashes
Stored Credentials and the Windows Vault
Scheduled Task
Critical Registry Paths
Useful Tools
AMSI Bypass
Windows Services
Windows Services are specialized processes designed to operate in the background without user interaction (can be comparable to 'deamon' in linux systems). These services often start automatically when the system boots and continue running even after a user logs off.
Key Features of Windows Services
Run independently of the logged-in user.
Managed via the Services Control Manager (SCM) panel.
Operate in various contexts:
Local Services
Network Services
System Services
Third-Party Application Services

Security and Attack Surface
Windows Services present a substantial attack surface. Improper configurations or vulnerabilities in services can be exploited to gain elevated privileges or execute malicious code.
Managing Services
Below are useful commands to manage Windows Services effectively:
Listing and Viewing Services
List All Services:
Get-Service
Display Specific Properties:
Get-Service | Select-Object DisplayName, Status, ServiceName, Can*
Get Binary Paths for Running Services:
Get-CimInstance -ClassName win32_service | Select Name, State, PathName | Where-Object {$_.State -like 'Running'}

Service Operations
Start a Service:
sc.exe start <SERVICE>
Stop a Service:
sc.exe stop <SERVICE>
Check Service Configuration:
sc.exe qc <SERVICE>
Modifying Services
Change the Binary Path of a Service:
sc.exe config <SERVICE> binPath="C:\Path\to\malicious.exe"
Check Service Permissions:
sc.exe sdshow <SERVICE>
Update Service Permissions:
sc.exe sdset <SERVICE> <SDDL>
Advanced Operations
Convert SDDL to Readable Format:
ConvertFrom-SddlString -Sddl <SDDL>
Get Executable Path for All Processes:
wmic process list full | Select-String 'executablepath=C:' | Select-String -NotMatch 'system32|syswow'
Adding a New Service
To add a new service, you must provide an executable file (.exe
) that implements the Windows Service API.
Creating a Service Using sc.exe
Create the Service:
sc.exe create <SERVICE-NAME> binPath="<PATH-TO-EXECUTABLE>"
Verify the Configuration:
sc.exe qc <SERVICE-NAME>
Start the Service:
sc.exe start <SERVICE-NAME>
Stop the Service:
sc.exe stop <SERVICE-NAME>
Delete the Service:
sc.exe delete <SERVICE-NAME>
Compiling a Custom Service
To create a custom Windows Service, write the code in a language like C and compile it using mingw-w64
.
Example Compilation Command:
x86_64-w64-mingw32-gcc -mwindows -municode -O2 -s -o simpleService.exe simpleService.c
Once compiled, follow the steps above to register, start, and manage the service.
Using NSSM (Non-Sucking Service Manager)
For simplicity, you can use NSSM to run any arbitrary .bat
or .exe
file as a service.
Download NSSM: From NSSM's Official Website.
Install the Service:
nssm.exe install <SERVICE-NAME>
Other Resources
Windows local privilege escalation: https://xorond.com/posts/2021/04/wind...
ConvertFrom-SddlString: https://learn.microsoft.com/en-us/pow...
Security Descriptor Definition Language (SDDL): https://learn.microsoft.com/en-us/win...
Create Windows service from executable: https://stackoverflow.com/questions/3...
The Non-Sucking Service Manager: https://nssm.cc/
Very basic Windows Service template in C: https://gist.github.com/mmmunk/0b0adb...
Cygwin and MinGW Options: https://gcc.gnu.org/onlinedocs/gcc/Cy...
Working with SDDL: https://www.advancedinstaller.com/for...
Disclaimer
❗ Never use tools and techniques on real IP addresses, hosts or networks without proper authorization!❗
Last updated