New Service

ID: T1050 Tactic: Persistence, Privilege Escalation

When operating systems boot up, they can start programs or applications called services that perform background systems funcionts. A service's configuration information, including the file path to the service's executable, is stored in the Windows Registry.

Adversaries may install a new service that can be configured to execute at startup by using utilities to interact with services or by directly modifying the Registry. The service name may be disguised by using a name form a related operating system or benign software with Masquerading. Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use service to escalate privileges from administrator to SYSTEM. Adversaries may also directly start services through Service Execution.

Services in Windows environment can lead to privilege escalation if these are not configured properly or can be used as a persistence method. Creating a new service requires Administrator level privileges and it is not considered the stealthier of persistence techniques. However in red team operations against companies that are less mature towards threat detection can be used to create further noise and build SOC capability to identify threats that are using basic techniques in their malware.

In the following example I will use CMD to create a new service with Administrator privileges and connect back to my attacking machine using the nc.exe binary

sc create redteam binpath= "PATH TO BINARY" start="auto" obj="LocalSystem"

Make sure there is a empty space between (= ")

For this technique is reliable and simple to understand and create as a one-line command will create you a reverse shell by manually inserting the commands this can also be done with other incredible tools such as Powershell, PowerSploit, Empire, Metasploit and many other's.


Last updated