HomeGitHubPortfolioTwitter/XMediumCont@ct

6 - Windows Services

Topics

  1. Introduction to the Windows Shells

  2. Windows Permissions

  3. Reverse Shells in Windows

  4. SeImpersonatePrivilege Exploitation

  5. On Cross Compilation

  6. Windows Services

  7. Weak Service Permissions

  8. Unquoted Service Path

  9. DLL Hijacking

  10. Always Install Elevated

  11. Files with Sensitive Data

  12. Windows Hashes

  13. Stored Credentials and the Windows Vault

  14. Scheduled Task

  15. Critical Registry Paths

  16. Useful Tools

  17. AMSI Bypass

Windows Services

Windows Services are specialized processes designed to operate in the background without user interaction (can be comparable to 'deamon' in linux systems). These services often start automatically when the system boots and continue running even after a user logs off.

Key Features of Windows Services

  • Run independently of the logged-in user.

  • Managed via the Services Control Manager (SCM) panel.

  • Operate in various contexts:

    • Local Services

    • Network Services

    • System Services

    • Third-Party Application Services

Security and Attack Surface

Windows Services present a substantial attack surface. Improper configurations or vulnerabilities in services can be exploited to gain elevated privileges or execute malicious code.

Managing Services

Below are useful commands to manage Windows Services effectively:

Listing and Viewing Services

  • List All Services:

    Get-Service

  • Display Specific Properties:

    Get-Service | Select-Object DisplayName, Status, ServiceName, Can*

  • Get Binary Paths for Running Services:

    Get-CimInstance -ClassName win32_service | Select Name, State, PathName | Where-Object {$_.State -like 'Running'}

Service Operations

  • Start a Service:

    sc.exe start <SERVICE>

  • Stop a Service:

    sc.exe stop <SERVICE>

  • Check Service Configuration:

    sc.exe qc <SERVICE>

Modifying Services

  • Change the Binary Path of a Service:

    sc.exe config <SERVICE> binPath="C:\Path\to\malicious.exe"

  • Check Service Permissions:

    sc.exe sdshow <SERVICE>

  • Update Service Permissions:

    sc.exe sdset <SERVICE> <SDDL>

Advanced Operations

  • Convert SDDL to Readable Format:

    ConvertFrom-SddlString -Sddl <SDDL>

  • Get Executable Path for All Processes:

    wmic process list full | Select-String 'executablepath=C:' | Select-String -NotMatch 'system32|syswow'

Adding a New Service

To add a new service, you must provide an executable file (.exe) that implements the Windows Service API.

Creating a Service Using sc.exe

  1. Create the Service:

    sc.exe create <SERVICE-NAME> binPath="<PATH-TO-EXECUTABLE>"

  2. Verify the Configuration:

    sc.exe qc <SERVICE-NAME>

  3. Start the Service:

    sc.exe start <SERVICE-NAME>

  4. Stop the Service:

    sc.exe stop <SERVICE-NAME>

  5. Delete the Service:

    sc.exe delete <SERVICE-NAME>

Compiling a Custom Service

To create a custom Windows Service, write the code in a language like C and compile it using mingw-w64.

simpleService.c

Example Compilation Command:

x86_64-w64-mingw32-gcc -mwindows -municode -O2 -s -o simpleService.exe simpleService.c

Once compiled, follow the steps above to register, start, and manage the service.

Using NSSM (Non-Sucking Service Manager)

For simplicity, you can use NSSM to run any arbitrary .bat or .exe file as a service.

  1. Download NSSM: From NSSM's Official Website.

  2. Install the Service:

    nssm.exe install <SERVICE-NAME>

Other Resources

Disclaimer

❗ Never use tools and techniques on real IP addresses, hosts or networks without proper authorization!

Previous5 - On Cross CompilationNext7 - Weak Service Permissions

Last updated