During red teaming operation, Lateral movement or know as an east-west movement refers to the technique to move deeper into a network. Such an attack allows a threat actor to avoid detection and retain persistent access. This newly published research explains how to take advantage of windows services, it details how to mimic windows services display names to deploy malicious beacon or even Meterpreter session.

Windows API Analysis

Before we start explaining deeply how I was able to achieve that, let's have a look into the current windows CreateserviceA function.

SC_HANDLE CreateServiceA(
  SC_HANDLE hSCManager,
  LPCSTR    lpServiceName,
  LPCSTR    lpDisplayName,
  DWORD     dwDesiredAccess,
  DWORD     dwServiceType,
  DWORD     dwStartType,
  DWORD     dwErrorControl,
  LPCSTR    lpBinaryPathName,
  LPCSTR    lpLoadOrderGroup,
  LPDWORD   lpdwTagId,
  LPCSTR    lpDependencies,
  LPCSTR    lpServiceStartName,
  LPCSTR    lpPassword

we can notice that lpserviceName has enough character space to place a payload but MSDN mentioned that’s service name comparisons are always case insensitive Forward-slash (/) and backslash () are not valid service name characters. While API parameter lpdisplayname allows 256 character string length and there is no bad character filtration. So that means we can at least insert some base64 formatted strings into parameter values.

Manual reproduce

by using a tool such as a process hacker we can test if we were able to create a service and fill lpdisplayname with base64 value.

image image

as you see in the previous screenshots it is possible to add base64 value into Displayname.

Heart of the problem

That’s due to insufficient filtration of the bad characters submitted the service display name string and there is not actual rate limitation for creating services.

Type of exploitation

By using this attack you can accomplish it inside the joined domain, Windows Vista and the above default policy doesn’t allow remote users with administration privileges to connect until you turn off this policy

Creating the technique

Now the idea is clear for me to start developing a working PoC that will leverage this weakness to deploy malicious binary and execute it at the end.

first, we need to build an automation module to interact with OpenSCManager API and create a service with base64 values segmented into 150 – 250 lengths. after creating the service, the program will deploy a piece of code to start the service, pop out the service display name content into the file, and then delete it to avoid duplicates. For more understanding, you can have a look at the following diagram.


By using a simple Powershell script we get the service display name value only and pip it out into a file. image

Putting the pieces together

our technique is almost ready, now it is time to use my development skills to build a complete tool to load the binary file and encode it into base64 format then divide each line into 150-250 character length. after that, it will communicate with OpenSCmanager to create a service and inject each line into lpDisplayname.

simultaneously, it will modify the value of each create service executable path as the following

C:\windows\system32\cmd.exe /c powershell -command “get-service SERVICENAME | select-string -expand |out-file tmp_payload.txt

so let’s consider you are going to deliver a 7 kb meterpreter payload or cobalt strike, then the program will create/delete around 65 services including the final payload

And finally, the tool will create a final service titled “final_stage” which will stand for decoding the content of tmp_payload.txt into a valid executable and execute it successfully.

PoC Usage

the usage of the tool is straightforward, it requires a target machine name and valid access credentials.




Lawrence Amer
offensive security expert and founder of 0xsp security research and development (SRD), passionate about hacking and breaking stuff, coder and maintainer of 0xsp-mongoose RED, and many other open-source projects