When operating systems boot up, they can start programs or applications called services that perform background system functions. (Citation: TechNet Services) A service's configuration information, including the file path to the service's executable, is stored in the Windows Registry.Adversaries may install a new service that can be configured to execute at startup by using utilities to interact with services or by directly modifying the Registry. The service name may be disguised by using a name from a related operating system or benign software with Masquerading. Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM. Adversaries may also directly start services through Service Execution.
Installs A Local Service
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| binary_path | Name of the service binary, include path. | Path | PathToAtomicsFolder\T1050\bin\AtomicService.exe |
| service_name | Name of the Service | String | AtomicTestService |
sc.exe create #{service_name} binPath= #{binary_path}
sc.exe start #{service_name}
sc.exe stop #{service_name}
sc.exe delete #{service_name}
Installs A Local Service via PowerShell
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| binary_path | Name of the service binary, include path. | Path | PathToAtomicsFolder\T1050\bin\AtomicService.exe |
| service_name | Name of the Service | String | AtomicTestService |
New-Service -Name "#{service_name}" -BinaryPathName "#{binary_path}" 2>&1 | Out-Null
Start-Service -Name "#{service_name}"
Stop-Service -Name "#{service_name}" 2>&1 | Out-Null
try {(Get-WmiObject Win32_Service -filter "name='#{service_name}'").Delete()}
catch {}