Lateral Movement via Service Configuration Manager
It's possible to execute commands on a remote host by abusing service configuration manager by changing the service binpath to your malicious command and restarting the service so your payload gets executed - this is all automated by a nice tool SCShell
Execution
Scshell expects the following arguments: target, service, payload, username, domain, password:
Considerations
From the defensive side, you may want to consider about monitoring services that change their binPaths "too often" as this may not be normal in your environment, especially if the binPath is "very" different (Levenshtein) to the previously known good value and if the service configuration is being changed over the network:
References
Last updated