Leveraging Windows Services

🛠️ Service Binary Hijacking & DLL Hijacking Cheatsheet

---

🔍 Enumerate Running Services and Their Executables

Get-CimInstance -ClassName Win32_Service | 
    Select-Object Name, State, PathName | 
    Where-Object { $_.State -like 'Running' }

• Useful for identifying running services and their binary paths.

• Focus on services with binaries located in writeable paths.

---

🔐 Check Permissions on Service Binaries

Use icacls to determine access rights on binary files:

icacls "C:\xampp\apache\bin\httpd.exe"

🧾 ICACLS Permission Masks

Mask	Meaning	Description
F	Full Access	Full control
M	Modify	Modify file contents
RX	Read & Execute	Run the file
R	Read-Only	View contents only
W	Write-Only	Modify without execution

---

⚙️ Check Startup Mode of a Specific Service

Get-CimInstance -ClassName Win32_Service | 
    Select-Object Name, StartMode | 
    Where-Object { $_.Name -like 'mysql' }

• Useful for identifying services that automatically start with the system.

---

🎯 DLL Hijacking

• Target: Applications that load DLLs insecurely from user-controlled paths.

• Goal: Place a malicious DLL with the same name in a writable directory.

---

❗ Unquoted Service Path

• Check for services with unquoted executable paths containing spaces.

• Example of vulnerable path:

  C:\Program Files\Some Service\service.exe

  If unquoted, Windows may attempt:

  • C:\Program.exe

  • C:\Program Files\Some.exe

🔍 Enumerate Unquoted Service Paths

Get-CimInstance Win32_Service |
    Where-Object { $_.PathName -notlike '"*"' -and $_.PathName -match " " } |
    Select-Object Name, PathName

• Vulnerable if path is:

  • Unquoted

  • Located in a writeable location

---

✅ Remediation Tips

• Quote all service binary paths.

• Restrict write permissions on service executables.

• Monitor for unusual .exe or .dll in service directories.