search

Service Control (SC)

circle-exclamation

Administrator rights on the target machine are mandatory.

The Service Controller (sc) proves particularly valuable for attackers, enabling task scheduling via SMB.

sc \\host.domain create ExampleService binpath= c:\windows\system32\calc.exe
sc \\host.domain start ExampleService

The caveat here is that the executable must specifically be a service binary. Service binaries differ in that they need to "register" with the Service Control Manager (SCM), and if not, they terminate execution. Hence, if a non-service binary is used for this purpose, it will come back as a brief agent/beacon for a moment and then terminate.

Directly creating an executable that runs as a service is possible:

CobaltStrike arrow-up-right:

In Cobalt Strike, navigate to Attacks > Packages > Windows Executable (S), and select the Service Binary output type.

Executable Windows en tant que service dans CobaltStrike

Metasploit : arrow-up-right

Using msfvenom, specify the exe-service format:

PreviousCrackmapexecNextCredentials

Last updated