Existing Windows services can have backdoors added to them using Metasploit’s msfvenom. Begin by finding a candidate service:
Create a replacement service file using msfvenom (alternately, a backdoor could be added directly to the binary):
The use of exe-service here rather than exe ensures that the correct APIs are available. Alternately, if you’re not trying to be stealthy than a simple application can be used instead (this will run successfully, but register as a failure in the Windows event logs).
USERNAME and PASSWORD obviously need to be updated to fit the current use case. Unlike msfvenom payloads, as of August 17th 2022 binaries compiled from this code are not detected as malicious by Windows Defender.
Finally, update the service definition:
If the service executable is specified with an unquoted path, then it’s only necessary to place the malicious binary earlier in the implicit search path.