Local services
Exploit local Windows services
Existing Windows services can have backdoors added to them using Metasploit’s msfvenom. Begin by finding a candidate service:
Create a replacement service file using msfvenom (alternately, a backdoor could be added directly to the binary):
The use of
exe-service
here rather thanexe
ensures that the correct APIs are available. Alternately, if you’re not trying to be stealthy than a simple application can be used instead (this will run successfully, but register as a failure in the Windows event logs).USERNAME and PASSWORD obviously need to be updated to fit the current use case. Unlike msfvenom payloads, as of August 17th 2022 binaries compiled from this code are not detected as malicious by Windows Defender.
Finally, update the service definition:
If the service executable is specified with an unquoted path, then it’s only necessary to place the malicious binary earlier in the implicit search path.
Link to original
Remote services
Exploit remote Windows services
Warning
By default, UAC restricts remote sc.exe calls to domain admins and the default local “Administrator” account. Local Windows admins cannot call this service remotely without first disabling UAC!
The sc.exe command can also be used to create and manipulate services on remote machines. This uses the Windows RPC (TCP 135), but will fall back to named pipes over SMB (TCP 445) or NetBIOS (TCP 139). (In fact, this is how sc.exe works locally as well; the only difference is that in this case a local named pipe is always used.)
Note that this is a blind attack — there will be no output indicating success or failure.
Link to original