Services with elevated privileges typically were used in the past as method of privilege escalation or persistence. However a service could be utilized for lateral movement since local administrators have permissions to create/restart a service and modify the binary path. PsExec was the first implementation of lateral movement by using services since it is a trusted Microsoft utility that can push an arbitrary file and register a service that will execute this file on a target host allowing a threat actor to establish access.
The following command will create an SMB server that will host an arbitrary payload.
Running PsExec will authenticate with the local administrator credentials on the target host and will execute the payload “pentestlab.exe” from the UNC path. As a result a Meterpreter session will open.
Metasploit Framework has a module which can perform via SMB lateral movement similar to PsExec. The module requires either the administrator password in plain-text or the administrator hash.
A PowerShell based payload will executed on the target and a new session will established.
However, both approaches are very noisy and even though could be used during penetration testing engagements in red teaming scenarios should be avoided. Usage of a PsExec for lateral movement is highly detectable since a new service will be created on the system and a mature Security Operation Center (SOC) should have already alerts in place.
Service Control (SC.exe) is a Microsoft utility which can be used by Administrators to create, modify, delete, start and stop a service in windows environments. In contrast with PsExec which needs to be dropped to disk this utility is part of Windows and could be abused directly to create a new service that will execute a fileless payload.
A new method of lateral movement using services has been implemented by Mr.Un1k0d3r in his tool SCShell. The .NET version uses the “OpenSCManager” API which uses remote procedure calls according to Microsoft documentation, it doesn’t create a new service as it relies on the modification of the binary path of an existing service and it can be used with a fileless payload by using the regsvr32 method.
This introduces to lateral movement via services a new stealthier approach more opsec safe compared to the existing techniques described above.
The python implementation of the “SCShell” uses “DCERPC” for authentication instead of SMB and can be executed from a non-domain joined systems.
An alternative option would be to use WMI for authentication to a target host in order to modify an existing service which is implemented in SharpMove.
The following command will execute an arbitrary payload from a UNC path on the target host by modifying an existing service similarly to “SCShell” tool.
Overall the lateral movement via services has been transitioned from SMB protocol to RPC and WMI. Modern tooling attempts to modify the binary path of valid services and execute fileless payloads to move laterally enabling red teams to continue use this technique in their engagements and to create the awareness to SOC teams about monitoring remote procedure calls on the network to identify such attacks.
This content was originally published here.