Unquoted Service Name

Detection

.\winPEAS.exe quiet servicesinfo

Get-CimInstance -ClassName win32_service | Where-Object { $_.PathName -notlike '"*"' -and $_.PathName -like '* *' } | Select Name, PathName

wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v '\"'
wmic service get name,displayname,pathname,startmode | findstr /i /v "C:\\Windows\\system32\\" |findstr /i /v '\"'  # Not only auto services

Exploitation

If a service path is not enclosed in quotes and contains spaces (e.g., C:\Program Files\Some App\service.exe), Windows may try to execute everything before the space. For C:\Program.exe, you could place your malicious executable there.

Find a writable directory in the path (e.g., C:\Program Files\) and place a malicious executable named Some.exe. Restart the service to trigger execution.

PreviousServices Enum NextWeak Permissions on Service Config

Last updated 7 months ago

hashtagDetection

hashtagExploitation

Detection

Exploitation