Adversaries may execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. This can be done by either creating a new service or modifying an existing service. This technique is the execution used in conjunction with [New Service](https://attack.mitre.org/techniques/T1050) and [Modify Existing Service](https://attack.mitre.org/techniques/T1031) during service persistence or privilege escalation.
Creates a service specifying an aribrary command and executes it. When executing commands such as PowerShell, the service will report that it did not start correctly even when code executes properly.
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| service_name | Name of service to create | string | ARTService |
| executable_command | Command to execute as a service | string | %COMSPEC% /c powershell.exe -nop -w hidden -command New-Item -ItemType File C:\art-marker.txt |
sc.exe create #{service_name} binPath= #{executable_command}
sc.exe start #{service_name}
sc.exe delete #{service_name}
Requires having Sysinternals installed, path to sysinternals is one of the input input_arguments Will run a command on a remote host
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| psexec_exe | Path to PsExec | string | C:\PSTools\PsExec.exe |
| remote_host | Remote hostname or IP address | string | localhost |
#{psexec_exe} \\#{remote_host} "C:\Windows\System32\calc.exe"
if (Test-Path "#{psexec_exe}"") { exit 0} else { exit 1}
Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip"
Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force
New-Item -ItemType Directory ("#{psexec_exe}") -Force | Out-Null
Copy-Item $env:TEMP\PsTools\PsExec.exe "#{psexec_exe}" -Force