RSS Feed


Created: 03.06.2023

Services can be abused differently but are often used as escalation and persistence mechanisms.


👑 - need admin.

🔑 HKLM\SYSTEM\CurrentControlSet\Services. The executable needs to have specific code and permissions for service behaviour, and there are three options to accomplish that:

  1. New service. If Start value = 0x2 (see 🔑 above), start the service at boot. Example 🦠: APT1, RIP listener service. ⚒️sc [queryex|qc|qprivs|qtriggerinfo]. The main idea is to create a service with a proper valid name, not raising suspicions. There is a multitude of services on a Windows machine, it’s easy to hide oneself in plain sight.
  2. Hijacking, aka Replacement. Required modifications to some existing services. Usually, some rarely used one. Example 🦠: GlassRAT.
  3. Service failure/recovery. Load something 🦠 bad when something good and service-like 👼 crashes. You can define what to do if a certain service crashes; usually it’s restarting the service. However, this setting can be changed to launch another executable. ⚒️ Kansa Powershell Framework (Get_SvcFail.ps1 script), event logs. There are vulnerabilities to reliably crash RDP.

Kansa has several scripts to stack services. You can also use the general one:

.\Get-LogparserStack.ps1 -FilePattern *SvcAll.csv -Delimiter "," -Direction asc -OutFile SvcAll-workstation-stack.csv

To do the same job with PowerShell:

$csvFiles = Get-ChildItem -Path ".\*SvcAll.csv"
$result = @()

foreach ($csvFile in $csvFiles) {
    $data = Import-Csv -Path $csvFile.FullName
    $result += $data

$result[0] | Get-Member -MemberType NoteProperty | Select-Object Name
$groupedData = $result | Group-Object -Property Name, PathName | Select-Object Count, Name, PathName, @{Name="PC"; Expression={$_.Group.'PSComputerName'}}
$groupedData | Export-Csv -Path "result.csv" -NoTypeInformation


Unused services. To disable a service:

sudo systemctl stop <servicename>
sudo systemctl disable <servicename>


⚙️ The most relevant keys in a plist would be the following:

  1. Label
  2. Arguments
  3. RunAtLoad - persistence.
  4. PathState (https://macadmins.psu.edu/files/2012/11/psumacconf2012-launchd.pdf)
  5. StartCalendarInterval (https://macadmins.psu.edu/files/2012/11/psumacconf2012-launchd.pdf)

👻 launchd process is responsible for running these items. 📚 Reference: A Launch tutorial, https://www.launchd.info/; “Getting Started with Launchd for Sys Admins,” Penn State MacAdmins Conference 2012, https://macadmins.psu.edu/files/2012/11/psumacconf2012-launchd.pdf.

An example:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC ...>
<plist version="1.0"><dict>
    <string>argument 1</string>    
    <string>argument 2</string>    
1 <true/> 

Wardle, Patrick. The Art of Mac Malware (p. 27). No Starch Press. Kindle Edition.


Run once the user is logged in. Do not have root permissions. They may interract with the user session.

The plists can be found here:


# to read the file run
plutil -p <path to plist>
defaults read <path to plist>


They usually run before the user logs in. Do not require user interaction. They run with 👑 root permissions.

The plists can be found here:


# to read the file run
plutil -p <path to plist>
defaults read <path to plist>


Expand… Something here