New Windows Service

Description

This persistence technique creates and registers a new service. In this module, you will supply a service name, and system command to execute by the service.

Privileges Required

Admin privileges

Arguments/Options Required

-c - command to execute
-a - arguments to command to execute (if applicable)
-n - service name
-m - method (add, remove, check, list)

Changes Made to Target System/Caveats

Adding New Service Persistence

Service is created and registered that will run automatically upon boot up and will run as SYSTEM
Needs to be ran as admin user in high integrity process (safe check for this)

Removing New Service Persistence

Service is deleted via the Service Control Manager (SCM).
Needs to be ran as admin user in high integrity process (safe check for this)

Usage/Examples

Adding New Service Persistence Trigger

SharPersist -t service -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Some Service" -m add

Removing New Service Persistence Trigger

SharPersist -t service -n "Some Service" -m remove

Perform Dry Run of New Service Persistence Trigger

SharPersist -t service -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Some Service" -m check

List All Services

SharPersist -t service -m list

List All Services by Name

SharPersist -t service -m list -n "Some Service"

References

https://attack.mitre.org/techniques/T1050/

Provide feedback

Saved searches

Use saved searches to filter your results more quickly