Persistence – Service Control Manager

The service control manager (SCM) is responsible to start and stop services in windows environments including device drivers and start up applications. Microsoft introduced in Windows 2000 and later the Security Descriptor Definition Language (SDDL) in order to provide a textual representation for security descriptors in a more readable format. Prior to Windows 2000 security descriptors were represented as hex bytes. Permissions of the service control manager like other windows objects are managed by Discretionary Access Control List (DACL) which are also represent by SDDL.

During red team operations if elevated access has been achieved the permissions of the service control manager can be modified via the SDDL in order to grant the “Everyone” group with rights over the service control manager. This action could be used as a form of persistence since any user could create a service on the environment that will execute an arbitrary command or payload with SYSTEM level privileges every time that the computer starts. The technique was discovered by Grzegorz Tworek and was shared over Twitter.

Execution of the command below will retrieve quickly the SDDL rights of the service control manager utility.

sc sdshow scmanager
Service Control Manager – Security Descriptor

PowerShell could also be used to enumerate SDDL rights for all the user groups and convert them to a readable format.

$SD = Get-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\Schedule\Security\
$sddl = ([wmiclass]”Win32_SecurityDescriptorHelper”).BinarySDToSDDL($SD.Security).Sddl
$SecurityDescriptor = ConvertFrom-SddlString -Sddl $sddl
Enumerate Permissions via PowerShell

The command below will enumerate the permissions of the “scmanager” utility and will display the associated SDDL rights.

sc sdshow scmanager showrights
Service Control Manager – Rights Enumeration

Users with standard level access they cannot create a service in Windows environments. This privilege belongs only to elevated users such as Local Administrators. However, modification of the security descriptor permissions for the service control manager could allow also any user to create a service that will run under the context of the SYSTEM account. Using the security descriptor definition language these permissions could be modified by executing the command below:

sc.exe sdset scmanager D:(A;;KA;;;WD)
Security Descriptor Permission Modification

The following table displays what the SDDL acronyms mean in the above command.

DDiscretionary Access Control List
AAccess Control Entry – Access Allowed
WDSecurity Principal of Everyone Group

The service configuration utility could be used to create a new service. The “binPath” parameter could store the arbitrary payload which will executed once the service starts. It should be noted that since the permissions of the service control manager changed, non elevated users can also create new services on the windows environment. In the event that the malicious service is removed by the blue team permissions will still remain allowing standard users to continue create new services to maintain persistence.

sc create pentestlab displayName= "pentestlab" binPath= "C:\temp\pentestlab.exe" start= auto
Service Control Manager – New Service from Standard User Account

The new service will appear in the list of Windows services.

Service Control Manager – New Service

When the system starts again, the service will automatically initiate and the payload will executed with SYSTEM level privileges.

Service Control Manager – Meterpreter