# Insecure Service Executables

### Overview

**Insecure Service Executables** is a Windows local privilege escalation technique where a **service runs with high privileges** (typically **LocalSystem**) and the **service executable itself is writable** by a **low-privileged user**.

By **replacing or modifying the service’s executable**, an attacker can cause **arbitrary code execution as SYSTEM** the next time the service starts.

Core Issue - **Service's Executable DACL**

### Why This Works

Windows services:

1. Run under a configured account (often SYSTEM)
2. Load an executable from a filesystem path
3. **Do not validate file ownership or integrity** at startup

If the binary is writable:

* SCM does not care *who* modified it
* Only that the file exists and is executable

### Prerequisites

1. Local Low-Privileged Access
2. Service Runs as High Privilege
3. Writable Service Executable(`Write, Modify, FullControl` ) on the actual exe.
4. Ability to Restart the Service

### Useful commands

```bash
# Command to list services outside the windows directory 
wmic service get name,pathname,startmode | findstr /i /v "C:\Windows"
# Get running services
Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}
```

### Steps

1. Confirm Service Privileges:

   ```bash
   sc qc <serviceName>
   ```
2. Verify Writable Executable(Check for perms like "`FILE_ALL_ACCESS`"

   ```bash
   accesschk.exe /accepteula -quvw "C:\Program Files\File Permissions Service\filepermservice.exe"

   # Check for M(Modify) or full access type permissions.
   icacls "C:\Program Files\File Permissions Service\filepermservice.exe"
   ```
3. Replace the Service Executable

   ```bash
   copy /Y service.exe "C:\Program Files\VulnApp\service.exe"
   ```
4. Start/Restart the service.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://gokulkarthik.gitbook.io/pentesting-checklist/windows-and-active-directory/windows-privilege-escalation/service-exploits/insecure-service-executables.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.