> For the complete documentation index, see [llms.txt](https://www.unh4ck.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-lateral-movement-via-service-configuration-manager.md). # Detecting Lateral Movement via Service Configuration Manager ## Descritption It is possible to use Service Configuration Manager for executing fileless lateral movement, which is explained in [SCShell](https://github.com/Mr-Un1k0d3r/SCShell) by [@MrUn1k0d3r](https://twitter.com/MrUn1k0d3r) and [SharpNoPSExec](https://github.com/juliourena/SharpNoPSExec) by [@JulioUrena](https://twitter.com/JulioUrena) tools repository that were used in this demo to simulate this type of attacks. *"**So instead of creating a service it simply remotely open a service and modify the binary path name via the**\*\* ****`ChangeServiceConfigA`**** \*\*\*\*API."\*\** Both tools rely on ChangeServiceConfigA API call to change the Image Path of the service configuration : ```csharp result = ChangeServiceConfig(serviceInfo.serviceHandle, SERVICE_NO_CHANGE, SERVICE_DEMAND_START, 0, options.payload, null, IntPtr.Zero, null, null, null, null); ``` [SharpNoPSExec](https://github.com/juliourena/SharpNoPSExec) will query all services and randomly pick one with a start type **disable** or **manual**, the current status **stopped** and with **LocalSystem** privileges to reuse them. ## The attack Showing bellow the simulation using SCShell tool where you have to specify the service name you wanna use, in my case I used the default arguments provided with the tool `XblAuthManager`. ![](/files/-MZ_kBasKKl6rYS4bkFB) ## Endpoint Telemetry On the target system we noticed these endpoint events {% hint style="warning" %} **Event ID 5145** : * A network share object was checked to see whether client can be granted desired access * Relative Target Name : `svcctl` * Share Name : `\\*\IPC$` {% endhint %} ![](/files/-MZ_lpwDCIv0cq-eTPwk) {% hint style="warning" %} **Event ID 13** : * Registry Value Set * TargetObject : `HKLM\System\CurrentControlSet\Services\\ImagePath` {% endhint %} ![](/files/-MZ_nYOIK_1QAvWjdCNI) {% hint style="warning" %} **Event ID 1**: * Process created * Process Name : `cmd.exe` * Process Parent Name : `services.exe` {% endhint %} ![](/files/-MZ_o-Pwc50TsiMGFdKb) ## Network Telemetry In this threat hunting lab we used Zeek event logs to observe network events generated such an attack. {% hint style="warning" %} **DCERPC Protocol** : * **DCE-RPC Operation** : `QueryServiceConfigA` followed by `ChangeServiceConfigA` * **DCE-RPC Endpoint** : `svcctl` {% endhint %} ![](/files/-MZ_pFtsAXKhVgHawCTd) ## EQL Detections ### Endpoint: ![](/files/-MZ_pOf45YdKMlJwjIkU) ### Network: ![](/files/-MZ_pd5dSTzBo3qh85da) To see more details, I provided bellow a PCAP capture of the attack. {% file src="/files/-MZdzVmZhNCHh2DzLOTN" %} PCAP Lateral Movement via SCManager {% endfile %} ## References {% embed url="" %} --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-lateral-movement-via-service-configuration-manager.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.