Detecting Lateral Movement via Service Configuration Manager
Using Endpoint & Network telemetry to hunt for remote service usage for lateral movement
Descritption
It is possible to use Service Configuration Manager for executing fileless lateral movement, which is explained in SCShell by @MrUn1k0d3r and SharpNoPSExec by @JulioUrena tools repository that were used in this demo to simulate this type of attacks. "So instead of creating a service it simply remotely open a service and modify the binary path name via the ChangeServiceConfigA
API."
Both tools rely on ChangeServiceConfigA API call to change the Image Path of the service configuration :
SharpNoPSExec will query all services and randomly pick one with a start type disable or manual, the current status stopped and with LocalSystem privileges to reuse them.
The attack
Showing bellow the simulation using SCShell tool where you have to specify the service name you wanna use, in my case I used the default arguments provided with the tool XblAuthManager
.
Endpoint Telemetry
On the target system we noticed these endpoint events
Event ID 5145 :
A network share object was checked to see whether client can be granted desired access
Relative Target Name :
svcctl
Share Name :
\\*\IPC$
Event ID 13 :
Registry Value Set
TargetObject :
HKLM\System\CurrentControlSet\Services\<servicename>\ImagePath
Event ID 1:
Process created
Process Name :
cmd.exe
Process Parent Name :
services.exe
Network Telemetry
In this threat hunting lab we used Zeek event logs to observe network events generated such an attack.
DCERPC Protocol :
DCE-RPC Operation :
QueryServiceConfigA
followed byChangeServiceConfigA
DCE-RPC Endpoint :
svcctl
EQL Detections
Endpoint:
Network:
To see more details, I provided bellow a PCAP capture of the attack.
References
Last updated