Windows Services

All commands related to services such as scquery, sccreate, scdivert, scstart and scdelete work over Remote Procedure Calls (RPC) and can actively impersonate access tokens generated with make_token or the impersonate command.

Service Enumeration

The scquery command enumerates a given host and returns a list of installed services. This command accepts 3 optional arguments. The primary argument should be the hostname, secondary argument should be full or basic to specify the type of information requested and the third argument should be a service name. If no arguments are specified, then it returns a list of all services installed with only basic information on the localhost. The basic information does not contain the description or service triggers. If a single argument (hostname/IP) is specified, then it enumerates the remote host over RPC (Remote Procedure Calls). If all the three arguments are specified, e.g: scquery DC01 full wuauserv, then it returns detailed information about that service including the description and service triggers.

Service Creation

The sccreate command can be used to create a local or a remote service. The sccreate command takes in 3 arguments, hostname, service name and path of the service executable.

To create a service on a local or remote host, the service file would first need to be uploaded to the remote host where the service needs to be created. If your badger is running under medium integrity and you have an administrator’s credentials, then you can create an administrator’s token using make_token and create a service using that token. Note that token impersonation does not escalate your privilege on the current host due to UAC, however it can perform some privileged tasks on a host in the network where the token has administrative privileges.

Service Modification

The scdivert command changes the service binary path for an existing service on local or a remote host. This command takes takes in 3 arguments. The first argument is the hostname where the service needs to be changed, the second argument is the service name, and the third argument is the path of the new service that will be replaced with the original service path. This command changes the service executable for a service to the custom service, starts the service with the modified binary path and then restores the original service executable path.

Any person who looks at the Service Control Manager will only see the service name that is running and not the process of the service, however the task manager would still show the new binary as a process running on the endpoint, but not under services. All the actions are performed over DCE/RPC.

Service Start

The scstart command is used to start a service locally or on a target host. This command takes 2 arguments i.e. the hostname and the service name to start.

Service Deletion

The scdelete command is used to delete a service locally or remotely. This command takes takes 2 arguments i.e. the hostname from which the service needs to be deleted and the second argument is the service name. For deleting a local service, use localhost as the hostname.