Enumeration

In PowerShell

Cau­tion: This com­mand works via RDP in an inter­ac­tive ses­sion, but NOT in a non-priv­i­leged bind/winrm shell.

All ser­vices:

PS> Get-CimInstance -ClassName win32_service | Select Name,State,PathName

All run­ning services:

PS> Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}

PS> Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'} | Where-Object { -not ($_.PathName -like '*indows*') }

All autostart pro­grams (not ser­vices, but it fits here anyway…):

Get-CimInstance Win32_StartupCommand | Select-Object Name, command, Location, User | Format-List

Check if a ser­vice will start auto­mat­i­cal­ly on boot time:

PS> Get-CimInstance -ClassName win32_service | Select Name, StartMode | Where-Object {$_.Name -like 'mysq*'} // This is not grep! Add * here!

In Windows command line

schtasks /query /fo LIST /v
net start
tasklist /v
tasklist /SVC // Shows all running processes only
accesschk.exe /accepteula -ucqv $servicename // Show which users have permissions for a service
accesschk64.exe /accepteula -wvucq $currentUserName $serviceexe // Shows the permissions you have

The fol­low­ing lists all ser­vice names and the bina­ries for them. After this, check inter­est­ing files with cacls / icacls.

sc query state= all | findstr "SERVICE_NAME:" >> Servicenames.txt
FOR /F "tokens=2 delims= " %i in (Servicenames.txt) DO @echo %i >> services.txt
FOR /F %i in (services.txt) DO @sc qc %i | findstr "BINARY_PATH_NAME" >> path.txt

Show all path of exe­cute­able files which are used by Win­dows services

sc query state= all | findstr "SERVICE_NAME:" >> a & FOR /F "tokens=2 delims= " %i in (a) DO @echo %i >> b & FOR /F %i in (b) DO @(@echo %i & @echo --------- & @sc qc %i | findstr "BINARY_PATH_NAME" & @echo.) & del a 2>nul & del b 2>nul

With escalation scripts

• Exe­cute winPEASany.exe quiet servicesinfo and see if there are inter­est­ing services.
• Use PowerUp with AllChecks to see also ser­vices and their exe­cuta­bles. Note if there is a ser­vice with Can­Restart: True.

Handling services with sc

sc query state= all // shows all services
sc qc $service // shows one service
sc start $service
sc stop $service
sc config $service start= demand // only needed to manually activate a service which is disabled. Remember to disable it afterwards again.

Handling services with wmic

Show process­es:

wmic /node:$victim /user:$user /password:$password process list brief

Kill process­es by PID or name:

wmic /node:$victim /user:$user /password:$password process where processid="$pid" delete
wmic /node:$victim /user:$user /password:$password process where name="$name" delete

Note: Check file per­mis­sions for each ser­vice file — if we can write to one, we can change the file or inject own code with shelter!

Exploitation

If you need to restart a service:

PS> Restart-Service BetaService

Binary hijacking

There is a bina­ry write­able you can exe­cute? See bina­ry hijacking.

DLL injection + hijacking

Does the tar­get run a (priv­i­leged) soft­ware you can install on an own VM? Try to inves­ti­gate with Proc­mon, if it loads DLLs you could over­write. See the DLL injec­tion article.

Unquoted Service Paths

Check if a (priv­i­leged) ser­vice is run­ning in a direc­to­ry with spaces in which we could write a bina­ry. See the Unquot­ed Ser­vice Path article.