- Joined
- May 15, 2017
- Messages
- 980
- Likes
- 752
- Points
- 1,045
Fileless lateral movement tool that relies on ChangeServiceConfigA to run command. The beauty of this tool is that it doesn't perform authentication against SMB everything is performed over DCERPC.
The utility can be used remotely WITHOUT registering a service or creating a service. It also doesn't have to drop any file on the remote system* (Depend on the technique used to execute)
How it work
Instead of creating a service it simply remotely open a service and modify the binary path name via the ChangeServiceConfigA API.
Then it starts the service.
Once the execution is completed the service binary path is reverted to the original one. The original service path is extracted using QueryServiceConfigA.
Everything is happening over DCERPC including the authentication.
Download SCShell