Windows Services

Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it start programs or applications called services that perform background system functions. Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg.

Adversaries may install a new service or modify an existing service by using system utilities to interact with services, by directly modifying the Registry, or by using custom tools to interact with the Windows API. Adversaries may configure services to execute at startup in order to persist on a system.

An adversary may also incorporate Masquerading by using a service name from a related operating system or benign software, or by modifying existing services to make detection analysis more challenging. Modifying existing services may interrupt their functionality or may enable services that are disabled or otherwise not commonly used.

Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM. Adversaries may also directly start services through Service Execution.

Example::

In this situation I will create a New Service to achieve persistence we can only continue here with Administrator Privileges as mentioned previously we will create a Service with Administrator but these services get executed as SYSTEM.

Here is a sample on what happens when working with user permissions:

Now let's create it with Administrator Privileges the parameters are easy to follow:

Let us check our Service

Currently stopped now we will start our service and check our shell back with SYSTEM privileges

Shell: