Windows Privilege Escalation
HomeGitHubPortfolioTwitter/XMediumCont@ct
  • Windows Privilege Escalation
  • 1 - Introduction to the Windows Shells
  • 2 - Windows Permissions
  • 3 - Reverse Shells in Windows
  • 4 - SeImpersonatePrivilege Exploitation
  • 5 - On Cross Compilation
  • 6 - Windows Services
  • 7 - Weak Service Permissions
  • 8 - Unquoted Service Path
  • 9 - DLL Hijacking
  • 10 - Always Install Elevated
  • 11 - Files with Sensitive Data
  • 12 - Windows Hashes
  • 13 - Stored Credentials and the Windows Vault
  • 14 - Scheduled Task
  • 15 - Critical Registry Paths
  • 16 - Useful Tools
  • 17 - AMSI Bypass
  • Cheatsheet
Powered by GitBook
On this page
  • Windows Services
  • Managing Services
  • Adding a New Service
  • Compiling a Custom Service
  • Using NSSM (Non-Sucking Service Manager)
  • Other Resources

6 - Windows Services

Topics

  1. Introduction to the Windows Shells

  2. Windows Permissions

  3. Reverse Shells in Windows

  4. SeImpersonatePrivilege Exploitation

  5. On Cross Compilation

  6. Windows Services

  7. Weak Service Permissions

  8. Unquoted Service Path

  9. DLL Hijacking

  10. Always Install Elevated

  11. Files with Sensitive Data

  12. Windows Hashes

  13. Stored Credentials and the Windows Vault

  14. Scheduled Task

  15. Critical Registry Paths

  16. Useful Tools

  17. AMSI Bypass

Windows Services

Key Features of Windows Services

  • Run independently of the logged-in user.

  • Managed via the Services Control Manager (SCM) panel.

  • Operate in various contexts:

    • Local Services

    • Network Services

    • System Services

    • Third-Party Application Services

Security and Attack Surface

Windows Services present a substantial attack surface. Improper configurations or vulnerabilities in services can be exploited to gain elevated privileges or execute malicious code.


Managing Services

Below are useful commands to manage Windows Services effectively:

Listing and Viewing Services

  • List All Services:

    Get-Service
  • Display Specific Properties:

    Get-Service | Select-Object DisplayName, Status, ServiceName, Can*
  • Get Binary Paths for Running Services:

    Get-CimInstance -ClassName win32_service | Select Name, State, PathName | Where-Object {$_.State -like 'Running'}

Service Operations

  • Start a Service:

    sc.exe start <SERVICE>
  • Stop a Service:

    sc.exe stop <SERVICE>
  • Check Service Configuration:

    sc.exe qc <SERVICE>

Modifying Services

  • Change the Binary Path of a Service:

    sc.exe config <SERVICE> binPath="C:\Path\to\malicious.exe"
  • Check Service Permissions:

    sc.exe sdshow <SERVICE>
  • Update Service Permissions:

    sc.exe sdset <SERVICE> <SDDL>

Advanced Operations

  • Convert SDDL to Readable Format:

    ConvertFrom-SddlString -Sddl <SDDL>
  • Get Executable Path for All Processes:

    wmic process list full | Select-String 'executablepath=C:' | Select-String -NotMatch 'system32|syswow'

Adding a New Service

To add a new service, you must provide an executable file (.exe) that implements the Windows Service API.

Creating a Service Using sc.exe

  1. Create the Service:

    sc.exe create <SERVICE-NAME> binPath="<PATH-TO-EXECUTABLE>"
  2. Verify the Configuration:

    sc.exe qc <SERVICE-NAME>
  3. Start the Service:

    sc.exe start <SERVICE-NAME>
  4. Stop the Service:

    sc.exe stop <SERVICE-NAME>
  5. Delete the Service:

    sc.exe delete <SERVICE-NAME>

Compiling a Custom Service

To create a custom Windows Service, write the code in a language like C and compile it using mingw-w64.

Example Compilation Command:

x86_64-w64-mingw32-gcc -mwindows -municode -O2 -s -o simpleService.exe simpleService.c

Once compiled, follow the steps above to register, start, and manage the service.


Using NSSM (Non-Sucking Service Manager)

For simplicity, you can use NSSM to run any arbitrary .bat or .exe file as a service.

  1. Install the Service:

    nssm.exe install <SERVICE-NAME>

Other Resources

Disclaimer

❗ Never use tools and techniques on real IP addresses, hosts or networks without proper authorization!❗

Previous5 - On Cross CompilationNext7 - Weak Service Permissions

Last updated 5 months ago

are specialized processes designed to operate in the background without user interaction (can be comparable to 'deamon' in linux systems). These services often start automatically when the system boots and continue running even after a user logs off.

Download NSSM: From .

Windows local privilege escalation:

ConvertFrom-SddlString:

Security Descriptor Definition Language (SDDL):

Create Windows service from executable:

The Non-Sucking Service Manager:

Very basic Windows Service template in C:

Cygwin and MinGW Options:

Working with SDDL:

Windows Services
simpleService.c
NSSM's Official Website
https://xorond.com/posts/2021/04/wind...
https://learn.microsoft.com/en-us/pow...
https://learn.microsoft.com/en-us/win...
https://stackoverflow.com/questions/3...
https://nssm.cc/
https://gist.github.com/mmmunk/0b0adb...
https://gcc.gnu.org/onlinedocs/gcc/Cy...
https://www.advancedinstaller.com/for...