Lateral Movement via Service Configuration Manager

It's possible to execute commands on a remote host by abusing service configuration manager by changing the service binpath to your malicious command and restarting the service so your payload gets executed - this is all automated by a nice tool SCShell

Execution

Scshell expects the following arguments: target, service, payload, username, domain, password:

.\scshell.exe ws01 XblAuthManager "C:\windows\system32\cmd.exe /c echo 'lateral hello' > c:\temp\lat.txt" spotless offense 123456

Considerations

From the defensive side, you may want to consider about monitoring services that change their binPaths "too often" as this may not be normal in your environment, especially if the binPath is "very" different (Levenshtein) to the previously known good value and if the service configuration is being changed over the network:

References

GitHub - Mr-Un1k0d3r/SCShell: Fileless lateral movement tool that relies on ChangeServiceConfigA to run commandGitHub

PreviousWMI + MSI Lateral Movement NextLateral Movement via SMB Relaying

Last updated 4 years ago