Cyb3rSn0rlax
Social MediaGitHub
  • About Cyb3rSn0rlax
  • 🛡️ SOC Engineering
  • 🧞Building an Open SIEM From Scratch
    • 1. Introduction to Elastic Stack
      • a. Installing and configuring Elasticsearch
      • b. Installing and configuring Kibana
      • c. Installing and configuring Logstash
    • 2. Installing OpenDistro for Elasticsearch Plugins
    • 3. Installing ElastAlert
    • 4. ELK Stack: "L" is for Lord of the Stack
      • a- Event Parsing: Pipelines
      • b - Event Parsing : From Beats to Logstash
      • c- Event Normalization with ECS
    • 5. Alerting in ELK
    • 6. Building Detection Rules
    • 7. Metrics Reports & Dashboards
  • 🛡️A Primer to Detection Engineering Dimensions in a SOC Universe
    • Operationalization
    • Execution
    • Analytics
  • 😺GitHub Projects
    • ELK4QRadar
    • Automating ELK Health Check
  • 💾DFIR
    • DFIR-01 : $MFT
    • DFIR-02 : Journal Forensics
    • DFIR-03: RDP Authentication Artifacts
  • ☢️ DEATH : Detection Engineering And Threat Hunting
    • 🔑TA0006 : Credential Access
      • Detecting Remote Credentials Dumping via comsvcs.dll
    • 🦘TA0008 : Lateral Movement
      • Detecting Lateral Movement via Service Configuration Manager
      • Detecting CONTI CobaltStrike Lateral Movement Techniques - Part 1
      • Detecting CONTI CobaltStrike Lateral Movement Techniques - Part 2
  • 🔎Misc
    • Infosec Game-Sense
Powered by GitBook
On this page
  • Descritption
  • The attack
  • Endpoint Telemetry
  • Network Telemetry
  • EQL Detections
  • Endpoint:
  • Network:
  • References
  1. ☢️ DEATH : Detection Engineering And Threat Hunting
  2. TA0008 : Lateral Movement

Detecting Lateral Movement via Service Configuration Manager

Using Endpoint & Network telemetry to hunt for remote service usage for lateral movement

PreviousTA0008 : Lateral MovementNextDetecting CONTI CobaltStrike Lateral Movement Techniques - Part 1

Last updated 3 years ago

Descritption

It is possible to use Service Configuration Manager for executing fileless lateral movement, which is explained in by and by tools repository that were used in this demo to simulate this type of attacks. "So instead of creating a service it simply remotely open a service and modify the binary path name via the ChangeServiceConfigA API."

Both tools rely on ChangeServiceConfigA API call to change the Image Path of the service configuration :

result = ChangeServiceConfig(serviceInfo.serviceHandle, SERVICE_NO_CHANGE, SERVICE_DEMAND_START, 0, options.payload, null, IntPtr.Zero, null, null, null, null);

will query all services and randomly pick one with a start type disable or manual, the current status stopped and with LocalSystem privileges to reuse them.

The attack

Showing bellow the simulation using SCShell tool where you have to specify the service name you wanna use, in my case I used the default arguments provided with the tool XblAuthManager.

Endpoint Telemetry

On the target system we noticed these endpoint events

Event ID 5145 :

  • A network share object was checked to see whether client can be granted desired access

  • Relative Target Name : svcctl

  • Share Name : \\*\IPC$

Event ID 13 :

  • Registry Value Set

  • TargetObject : HKLM\System\CurrentControlSet\Services\<servicename>\ImagePath

Event ID 1:

  • Process created

  • Process Name : cmd.exe

  • Process Parent Name : services.exe

Network Telemetry

In this threat hunting lab we used Zeek event logs to observe network events generated such an attack.

DCERPC Protocol :

  • DCE-RPC Operation : QueryServiceConfigA followed by ChangeServiceConfigA

  • DCE-RPC Endpoint : svcctl

EQL Detections

Endpoint:

Network:

To see more details, I provided bellow a PCAP capture of the attack.

References

🦘
SCShell
@MrUn1k0d3r
SharpNoPSExec
@JulioUrena
SharpNoPSExec
Page cover image
ChangeServiceConfigA function (winsvc.h) - Win32 appsdocsmsft
Logo
8KB
LM_Fileless_Lateral_Movement_ChangeServiceConfigA.pcap
PCAP Lateral Movement via SCManager